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ISVs Urged to Boost 
Security and Own Up 
To Software Defects 



BY JENNIFER DEJONG 

Your brand new sweater has a 
hole in it. The coffee maker you 
got for Christmas doesn't power 
up when you plug it in. 

No problem. A refund or 
replacement, and perhaps even 
an apology, is in order. 

But what about that security 
defect you found in the software 
you licensed last month? 

Sorry, the user of that soft- 
ware, not the company that 
makes it, is left holding the bag. 

"That's a terrible way to do 
things," said Brian Chess, co- 
founder and chief scientist of 
application security toolmaker 
Fortify. "It's troublesome to shift 
the burden of security to the 
customer." 

But that is where the respon- 
sibility lies today. When security 
flaws — essentially poorly con- 
structed code that makes it pos- 
sible for hackers to steal sought- 
after data such as credit card 
numbers — are found in software 
written in-house, a developer 
can move quickly to rework the 
code. But when the vulnerability 
identified is in an application 
licensed from an independent 
software vendor, IT profession- 
als can't go it alone, because they 
don't have access to the applica- 
tion's source code. 

"You say to the vendor: 'Hey, 
guys, you have got to fix this in 
the next release,' " said Mandeep 
Khera, vice president of market- 




Fortify's Chess decries putting burden 
for software defects on users. 

ing of application security tool- 
maker Cenzic. But that could 
take three months, or even six, 
he said. "You get the patch when 
you get the patch." 

In the meantime, IT profes- 
sionals must take interim mea- 
sures to reduce the risk. "You have 
put the [code in question] behind 
the firewall or turned off the func- 
tionality that's affected," he said. 

This issue is gaining attention 
as Cenzic and Fortify, among 
application security toolmakers, 
deliver offerings that look for 
security flaws in production 
applications. (Earlier offerings 
focused more on pre-production 
applications, written in-house 
continued on page 25 ► 



Nokia Buys Trolltech 

Mobile, Linux drive Scandinavian acquisition 



BY ALEX HANDY 

It's a merger made in the land 
where the Linux kernel began. 
Nokia, Finland's largest compa- 
ny, announced Jan. 28 that it 
would acquire Norwegian soft- 
ware development company 
Trolltech in a deal valued at 
US$150 million. The acquisition 
brings Nokia some of Linux's 
most heavily used graphical user 
interface libraries as well as a 
powerful mobile software devel- 
opment team in Australia. 

Trolltech is best known for its 
Qt, a multi-platform C++ GUI 
library that has expanded, since 
its creation in 1991, to become a 
multi-purpose application devel- 



opment library, and KDE, the 
open-source Linux desktop envi- 
ronment that is tightly coupled 
with Qt. But, for Nokia, the most 
attractive item in the Trolltech 
stable is likely to be Qtopia, a Qt- 
based mobile environment, 
which Trolltech created in 2001. 

Since that time, Qt has 
evolved more significant cross- 
platform capabilities. Qt is lining 
up for a July release that aims to 
allow developers to build Qt 
applications once and run them 
on Mac OS X, Windows and Lin- 
ux without modification. The 
current Qt offers this capability 
in preview form. 

Qtopia was built to ease the 



development of cross-platform 
and rich mobile phone-based 
applications. Since its creation, 
Trolltech established a new office 
in Australia, where it now han- 
dles most Qtopia development. 
Trolltech also produces the 
Greenphone, a development- 
centric mobile phone designed as 
a test bed for developers. 

NORSE SOFTWARE-OLOGY 

For Nokia, the acquisition fleshes 
out the company's software strate- 
gy. The deal "is all about trying to 
use the fantastic technology Troll- 
tech has to develop software that 
can span across platforms, regard- 
continued on page 27 ► 




£1 Sun SPOTs Promise 
. „ ^ Pervasive Java 

^^^^ *~ Paving way: sensors, 

programmable devices 

BY ALEX handy and the topics generally of the first day, Sun SPOTs, the 
SANTA CLARA — Sun assumed more physical func- company's answer to pervasive 
Microsystems engineers envi- tionality down the road. The computing, became all the rage, 
sion a future in which mobile two-day event kicked off with a The hardware and software 
applications will include discussion of Java ME security, that make up a SPOT are avail- 
numerous links to real-world and then moved on to the uti- able as open-source specifica- 
sensors and devices. lization of Bluetooth APIs in tions and code, Sun said. The 
During the recent Java embedded devices. GPS company also disclosed a price 
Mobile and Embedded Devel- receivers, wireless detection drop and some new university 
oper Days event at the compa- systems, RFID and the creation programs. 

ny's campus here, Sun and its of impromptu "mesh" networks The device's longer 
partners explored the future of with mobile devices were also moniker — Sun Small Program- 
mobile and embedded devices, on the agenda. In the afternoon continued on page 29 ► 
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HTML 5: More Than Mere Markup 

New APIs, elements created to adapt Web apps to rich media 



BY DAVID WORTHINGTON 

Nothing is as constant as 
change — and the language that 
runs the Web is no exception. 
HTML's days as a simple markup 
language are numbered. The 
next major revision will be adapt- 
ed and extended for rich media. 

The HTML Working Group 
of the World Wide Web Con- 
sortium (W3C) published an 
early draft of the HTML 5 spec- 
ification on Jan. 22. The group 
has added APIs for audio, 
graphics and video, interactive 
document editing, and the 
maintenance of persistent 
client-side data storage. 

New attribute and element 
tags will embed audio and video 
content and simplify indexing 
by search engines, rendering on 
small-screen devices and using 
voice readers for the visually 
impaired. 

Some deprecated ele- 
ments — center, front and 
strike — were dropped in favor 



of CSS, which provides the 
same functionality. 

Developers may write 
HTML 5 using either an 
HTML or XML syntax, and the 
spec will have precise rules for 
handling and recovering from 
syntax errors. HTML 4 
browsers can ignore HTML 5 
constructs, and existing HTML 
content is supported. 

The group has been focused 
on developing technology for 
Web applications to enable 
them to be natively supported 
across browsers and platforms, 
said Mike Smith, a browser 
technology specialist with 
W3C. Another objective was to 
reduce the scripting that Web 
developers must do. 

"Contrast that with the cur- 
rent situation with AJAX, where 
we have a number of AJAX 
toolkits that are not interopera- 
ble, not supported across 
browsers, and that require Web 
developers to do much more 




scripting," said Smith. 

He added that HTML is 
being redefined from a simple 
markup language into one that 
is abstract and more than "just 
about serialization. What is 
going on internally within 
browsers is much more compli- 
cated than just dealing with 
HTML markup itself. That is 
what we are trying to address." 



RISE OF THE RIA 

In one way, what's going on 
internally in browsers matches 
the evolution of the Web. Ten 
years ago, pages were generally 
static blocks of text and images. 
Today, that's changed because 
of the rise of the Rich Internet 
Application, or RIA. 

Roughly a third of develop- 
ers and development decision 



makers indicate they are using 
RIA technology as part of their 
development toolset, said For- 
rester Research senior analyst 
Jeffrey Hammond. HTML 5 is 
being created with that growing 
constituency in mind. 

Hammond said that new 
elements should help to 
improve the expressiveness of 
the core language, by "adding 
better syntax tags for improved 
controls, and better support for 
rich media." 

He added, "If the updates 
are adopted by the major brows- 
er vendors, the result will raise 
the bar in terms of what a devel- 
oper can do with straight HTML 
to create rich interfaces." 

W3C expects to make a rec- 
ommendation for HTML 5's 
adoption in 2010. Ian Jacobs, 
W3C's head of communications, 
noted that the standards body 
was considering splitting up 
HTML 5 into modules that 
could evolve independently. I 



Business Rules Undergo Change 

Forrester report scopes trends in business rules market 



BY JEFF FEINMAN 

The business rules market is 
growing in importance, with 
three key trends driving busi- 
ness rules platforms, a For- 
rester Research report says. 

The report, released in early 
January, says that first off, a new 
wave of market consolidation has 
begun as major platform suppli- 
ers recognize the importance of 
business rules technology. Sec- 
ond, providers are starting to 
offer tools and processes that 
allow business people to directly 
create and maintain business 
rules. Third, independent sup- 
pliers are adding prebuilt rules 
applications to drive growth. 

"As we move into this new 
generation of applications based 
on SO A, we encounter ideas like 
business process management, 
and business rules are turning 
out to be very helpful in building 
those applications," said John 
Rymer, the Forrester vice presi- 
dent and principal analyst who 
wrote the report. 

MARKET CONSOLIDATION 

As the business rules market 
starts to move into the applica- 



tion development mainstream, 
some of the major providers 
have embraced business rules as 
a component of their application 
server platform suites. Back in 
October, SAP announced its 
intent to acquire Yasu Technolo- 
gies, and according to the For- 
rester report, became the last of 
the "big four" platform compa- 
nies to offer business rules. IBM, 
Microsoft and Oracle already 
offer business rules engines and 
tools, primarily to support busi- 
ness process management appli- 
cation development. 

"Right now, these compa- 
nies basically rely on partners 
for business rules platforms, 
even for Yasu, because it's not 
yet integrated into NetWeaver," 
Rymer explained. "The prob- 
lem is, if you rely on partners, 
there's always integration work 
that has to be done. You have to 
pay a separate license price to 
another vendor. It's a little more 
complicated." 

Additionally, the Forrester 
report predicts that an increas- 
ing number of independent 
business rules specialists will 
acquire other independent 



providers. The first such acqui- 
sition was Australia-based Rule- 
Burst acquiring Haley Systems 
in November of 2007. The 
report notes that Haley has 
some of the strongest tools for 
business analysts in the market. 

TOOL UP THE ANALYSTS 

In order for business rules sup- 
pliers to grow, they must put 
tools into the hands of business 
analysts, Rymer said. Because 
of this, tools are being created 
that not only allow business 
members to write and complete 
rules, but also provide visual 
expressions and testing. Such 
tools for business analysts are 
also helpful to developers who 
prefer tools that allow them to 
focus on business tasks and 
processes. Companies will pro- 
vide their own repositories and 
life-cycle management tools, he 
added, or rely on third-party 
source management products 
to allow collaboration between 
business analysts and applica- 
tion developers in building and 
maintaining business rules. 

The Forrester report said that 
some of the main companies that 



offer leading tools for business 
analysts are CA, Redwood City, 
Calif. -based Corticon Technolo- 
gies, Haley and Yasu. 

Many companies have 
tweaked their products to cater 
more to business analysts. Haley, 
for instance, expanded its 
authoring to include a decision 
table with built-in testing, while 
Corticon packaged its business 
rule management features for 
incorporation into third-party 
and custom solutions, including 
its own tools. 

PACKAGING IT TOGETHER 

Many business rules platform 
suppliers are offering packaged 
solutions, layering frameworks 
and consulting services on top of 
the supplier's platform and tools. 
The report said that it expects 
business rules providers to either 
experiment with packaged appli- 
cations or provide advanced 
authoring, testing, and rules 
management tools to fill gaps in 
business rules features in prod- 
ucts. It is important for enter- 
prise application suppliers to 
expose policy, decision, process 
and other definitions for modifi- 




Partnering for rules platforms is 
difficult, says Forrester's Rymer. 

cation as needed to keep up with 
business change. 

The Forrester report said that 
although many big platform 
companies now offer business 
rules features, there are limits to 
what those features offer. Suppli- 
ers are offering these simple 
business rules modules as part of 
their BPM, and according to 
Rymer, the primary purpose of 
those rules engines is process 
routing. However, there is a lot 
more to business rules applica- 
tions, he argued. In order to 
make complex decisions to busi- 
ness rules functions such as pric- 
ing rules on a daily basis, there 
must be the ability to access 
rules that need to be changed, 
and an opportunity to test and 
manage the rules. I 




Alternative fhinkmg is attacking your own Web applications, finding 
vulnerabilities and destroying them with precision ond vengeance— 
throughout the life of the application. 

lt J s looking at a ppJf cation security through the eyes of o hacker 

to identify threats lo your system and risks to your business. 

It's harnessing the power of SPI Dynamics, recently acquired by HP ; 
to redefine and expand your security abilities. (Please note: positive 
effects on your bottom line.) 

It's assessing security the rig h t way, from developmenl to QA 
to operations — without slowing down the business. 
(Cue elated cheers.) 
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Software Industry Bright Spot in Economy 

Report: Developers earn almost double the average U.S. salary 



BY ALEX HANDY 

A report from the Software Information 
Industry Association shows that the 
United States can rest assured its soft- 
ware industry is still on track. While the 
rest of the country slows down because 
of the credit crisis, the January report 
underscores that the software industry is 
still growing at almost twice the rate of 
the GDP. Software and information 
technology workers are also earning 
their pay at a much higher rate than 
their counterparts in other industries. 

David LeDuc, director of public poli- 
cy at the SUA, said that the software 
industry is a bright and shining star in the 
otherwise bleak American economy. Of 
the SUA, he said, "We call ourselves the 
software association for the software and 
digital content industry." LeDuc s specif- 
ic duties focus on providing information, 
research and consulting to governments 
seeking information about software. 

Last July, LeDuc began work with his 
colleagues on a report titled "Software 
and Information: Driving the Global 
Knowledge Economy." The report 



focuses on the bare numbers of the soft- 
ware industry, as measured by the gov- 
ernment. Those numbers were then 
compared to the gross domestic product 
and other economic indicators, such as 
wage growth and jobs made available. 

After six months of work, LeDuc said 
that he was surprised to see some of the 
results. "Our biggest surprise was the 
sheer size of the numbers in the GDP 
comparison. We knew we were going to 
have above-average findings, but in 
terms of doubling wages and tripling 
growth, it was surprising," he added. 

THE TRUTH IS IN THE NUMBERS 

Those numbers showed that the soft- 
ware industry is almost always ahead of 
the curve when it comes to growing rev- 
enues and employing talented workers 
at good pay. 

According to LeDuc, the annual 
growth of the U.S. GDP in recent years 
has been between 4 and 5 percent. But 
for the software industry, that number is 
doubled. For 2006, the report saw GDP 
growth between 3.2 and 3.9 percent, 



while the software industry as a whole 
recorded growth of between 10.8 and 
11.1 percent. 

For workers, the study showed that 
there were 17.4 percent more software 
and information management jobs than 
there were 10 years ago. That's far above 
the national average. For comparison, 
during that same period, which ended at 
the beginning of 2007, the real estate 
bubble created job growth of 21.4 per- 
cent. Compared to manufacturing jobs, 
which shrank at about these same rates, 
the software industry helped to average 
out the number of jobs grown, overall, in 
the U.S. between 1997 and 2006. Over- 
all job growth in the U.S. has been rela- 
tively flat over this period, thanks to 
electronics, chemical and transportation 
manufacturing jobs moving overseas. 

LeDuc pointed out that, since July, 
those real estate jobs have dwindled, 
while the software industry has not 
dropped off at all. Despite some small 
pockets of trouble, the software and infor- 
mation industry in the U.S. now employs 
over 2.7 million people, with more than 
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SIA's LeDuc: In terms of doubling wages and 
tripling growth, it was surprising/ 

400,000 jobs added since 1997. 

Software industry workers are also sig- 
nificantly better paid than their counter- 
parts in other industries, according to 
LeDuc. 

For a software industry worker in 
2006, he noted, "the annual average 
salary was US$75,000." That's almost 
double the national average salary, 
which is $42,000. I 



Eclipse Use Rising; Java, Web Top Apps List 



BY ALAN ZEICHICK 

The popular open-source IDE keeps 
gaining adherents. Fully 17.1 percent of 
enterprises report that all developers are 
using Eclipse, a jump from 13.5 percent a 
year earlier, a November study shows. 

The fourth annual Eclipse Adoption 
Study was conducted by BZ Research, 
which, like SD Times, is a division of BZ 
Media. The study was conducted inde- 
pendently of the Eclipse Foundation or 
of any other organization. 

Late last year, 48.0 percent of enter- 



prise software development managers 
said that a majority of developers use 
Eclipse, the study shows. That number 
is up from 43.0 percent a year earlier. 

While total Eclipse usage is on the 
rise, fewer Eclipse users are on the very 
latest version of the tool chain. In the 
2006 study, fully 48.7 percent of organi- 
zations were using Eclipse 3.2 "Callisto," 
which came out about five months earli- 
er. In the 2007 study, which was conduct- 
ed about five months after Eclipse 3.3 
"Europe" came out, only 38.3 percent 



Which Eclipse "bits" are currently used by your organization? 







Java Development Tools (JDT) 


57.7% 


Web Tools Project - J2EE Standard Tools 34.6% 






Web Tools Project - Web Standard Tools 34.6% 






Eclipse Modeling Framework (EMF) 24.8% 






Eclipse Rich Client Platform (RCP) 21.1% 








C/C++ IDE (CDT) 21.0% 








Web Tools Project - JavaServer Faces 20.0% 








Graphical Editor Framework (GEF) 19.0% 








Web Tools Project - AJAX Tools Framework 19.0% 










Visual Editor (VE) 16.9% 










Data Tools Platform (DTP) 


15.8% 










Graphical Modeling Framework (GMF) 


14.8% 










Test & Performance Tools Platform (TPTP) 14.6% 










Mylyn (formerly Mylar) 14.3% 










PHP Development Tools (PDT) 


13.1% 










UML2 


11.1% 










All others 


below 10% 
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were on the current version. 

Another indicator of the growth of 
Eclipse: When asked, "What are your 
plans for using Eclipse-based tools and 
technologies over the next 12 months, 
compared to your current usage?" the 
November 2007 study reported that 52.0 
percent of Eclipse users said they would 
be increasing their use of the platform, 
while 35.6 percent said they would main- 
tain the same level. Only 1.7 percent indi- 
cated that they would be decreasing or 
stopping their use; the rest did not know. 

What's Eclipse used for? Java and Web 
development. Last year, 77.5 percent of 
Eclipse users cited Java development and 
57.1 percent pointed to Web develop- 
ment. By contrast, only 15.6 percent said 
that it is used for C/C++ development, 
and 6.2 percent for Ruby development. 
Those usage patterns were consistent 
across all four years of the study. 

Also remaining fairly constant: the 
reasons organizations use Eclipse or 
Eclipse-based tools and technologies. 
The top reasons continue to be that the 
platform is low cost, is open source, and 
has a wide variety of plug-ins. 

One enthusiastic respondent wrote 
that Eclipse represents a "free, open and 
active platform with very innovative but 
pragmatic community, diverse applica- 
tions and tool spectrum, exciting opportu- 
nities through the plug-in system, sup- 
ports dynamic requirements of modern 
software development." 

A section of the study asked about 



Eclipse plug-ins. While slightly more 
respondents in 2007 said that their team 
used plug-ins — 58.5 percent, compared 
with 53.5 percent in 2006 — the number 
of plug-ins per developer (of those who 
use plug-ins) appeared to decline. In 
2006, 55.7 percent of respondents used 
one to four plug-ins, 27.7 percent used 
five to nine, and 16.6 percent used 10 or 
more. A year later, 60.6 percent used 
one to four, 22.1 percent used five to 
nine, and 14.0 percent used 10 or more. 

MORE FEATURES, FUNCTIONALITY 

One reason might be that more func- 
tionality is built into the Eclipse plat- 
form itself. Another could be that plug- 
ins offer more features or that one 
current plug-in can replace many older 
ones. Still another could be that using 
many plug-ins can cause problems. 
"Occasionally have plug-in conflicts that 
can be painful," wrote one respondent. 

In usage patterns, some plug-in cate- 
gories changed, with the biggest jump 
occurring in those who use AJAX/Rich 
Internet Application plug-ins. That went 
from 16.2 percent in 2006 to 34.6 percent 
in 2007. Usage of Web services frame- 
works rose from 21.3 percent to 35.4 per- 
cent. Functional testing plug-ins climbed 
from 11.3 percent to 24.1 percent. 

The most popular Eclipse plug-ins 
remain those for HTML/Web develop- 
ment (58.5 percent), XML editing/parsing 
(51.9 percent), unit testing (50.5 percent), 
code/text editing (49.2 percent) and 
debugging (45.9 percent). 

The full Eclipse study is available for 
purchase from BZ Research at www 
.bzresearch.com. I 
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HP Revamps Systinet; Adds Specific Use Cases 



New SOA governance offerings promise integration, interoperability 

BY DAVID WORTHINGTON acquire it to enter the emerging generally available on Jan. 28, announced broader industry sup- 

Systinet has been passed market for SOA infrastructure, along with the latest addition to port for its Governance Interop- 

around like a hot potato. Just the governance tools are now the company's governance soft- erability Framework (GIF). 

two years after Mercury Inter- HP-branded. ware portfolio, HP SOA Registry By letting developers vali- 

active had the foresight to HP SOA Systinet became Foundation. The company also date would-be services against 



.1 



z 



Components intelligently 
designed to exceed your needs 

ComponentGne continues td evolve gut .Net (WinFaim^ and AfiRMEt ( WebFarms) 

component studio based upon common framework5 r best practices, 

intelligence desrgn, and ojnbistent behaviors. 



I :, \tHp:> "-f p£rfn!i.'-".rfirrnri!rrlrrr.e r.Ti'":' lwt-t .irnpl* - ■ » ". ,-, 



Jd - - i *. i * QQ? 



lMii*£fiULL£j 



■ v u *+ * * J 



r 



- 

2 



ft**** UMi 1-VoA 1 Jtll - sffimta:^ UlU *wm tem kjsIh. N 

Uurii *mbA tad rlcta. L±:«£i 'Jr> ^nr ci1 bnfafiksi tdJn f-.tp ^J 1 dwk^ rJ nr. vruil' \ 
■^kui mpudfe'itF iidbi u] n *j ii".i ■•viol (ftp induq [Kftftz — m.ilik±ii:! , :i n+J h. tw- J 




lFS>fl!==|*!FJd 



■■■■■■■■ 

»■■»■■■ 
llllllll, 
I II III 



^^__i^_ I--V 



» ' '!■■'- '■»' *' 






CIWebEditorforASRNet; 



- WY5IWQri*-texfeditorfoTAJAX-flncibled 
vveb applications 

- Multi-browser compatibility 

( Iniempf Fxploner/lHrefn^afari) 

■ Fori nactirKp fe^iufes: type, size, cofcor. style, 
bold, italic, align muni, uidentailoii, 
bulIeTed and numfopiEctlitt^ett, 



Component One" 



Built-in toolbars: Common, Style, 
Formatting, Table Editing, HTML 
£lerTu?Titi, Editor Made 

Supports table editing u^ng cpjifeirt menu 
{add/delete rows, merge cells, elc) 

Bulli-in ip^ll chfrLktir wilK cuiiom 
dirtk?nary support 



^ 



Studio Enterprise 2007 V 3 

The Most Comprehensive Suite of Visual Components Available Anywhere 



GMif JDG X Cd ■mwrlEhuLLil M iljfiti muTft-t 



■ ; i fmi ••;■■ 



■ . one ^enterprise 



@ ComponentOne 



enterprise policies though an 
Eclipse-based plug-in, HP SOA 
Systinet aims to breaks down 
the silos between development 
and production. It now works 
with HP's SOA Manager life- 
cycle management tool. 

Integrating design time and 
runtime would help engage 
developers earlier in the gover- 
nance process, improving utiliza- 
tion of services, said Avrami Tzur, 
HP's vice president for SOA. 

HP SOA Systinet also offers 
graphical navigation to depict 
how services are related to arti- 
facts and other services, as well 
as more robust reporting and 
search functions. Users may ini- 
tiate a process to propose new 
services to the governance 
body, said Tzur. 

HP SOA Registry Founda- 
tion is meant for ISVs to embed 
into their SOA solutions. 
According to Tzur, the product 
is an offshoot of Systinet's reg- 
istry, but simplified for three 
specific use cases. 

The first use case covers 
packaged applications and dis- 
tributed software; the second 
involves highly replicated envi- 
ronments or isolated devices 
that run SOA applications; and 
the third centers on developers' 
attempting to mimic produc- 
tion systems within the devel- 
opment environment. 

Tzur explained that develop- 
ers can test for endpoint resolu- 
tion inside of their environ- 
ment, test against policies, and 
that the registry acts like a table 
of contents for applications that 
need to use other services. 

LOOKING GIF IN THE MOUTH 

In an effort to promote its gover- 
nance framework as a standard 
for SOA governance, HP will 
make its specifications publicly 
available at its hp.com domain 
and Wikipedia. GIF makes it 
easier to exchange information 
between HP SOA Systinet and 
third-party technologies. 

Ten partners are joining HP 
in support of the framework: 
Active Endpoints, Alcatel- 
Lucent, Cisco, JackBe, Layer7 
Technologies, LogicLibrary, 
Nexaweb, Oracle, Sonoa Sys- 
tems and Vordel. 

Mark Lajeunesse, director 
for worldwide SOA practices in 
HP Services, said an ecosystem 
of vendors is needed to make 
SOA infrastructure work 
together. "GIF is a way to con- 
nect infrastructure components 
and help them exchange infor- 
mation; it adds layers of visibili- 
ty and trust," he added. I 
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SpringSource Springs for Covalent 



BY ALEX HANDY 

It's Tomcat s world, we're all just 
coding in it. SpringSource 
announced last month it would 
acquire Covalent, a Walnut 
Creek, Calif. -based open-source 
service and support company. 

SpringSource, formerly known 
as Interface21 and headquar- 
tered across the bay in San 
Mateo, is behind the Spring 
Framework, while Covalent is 
best known for its service and 
support of Apache Software 
Foundation applications, such as 
Apache Web Server and Tomcat. 

While Covalent offers many 
support options for a variety of 
products, SpringSource CEO 
Rod Johnson appears most 
excited about the company's 
Tomcat offerings. With Tomcat 
rapidly widening its lead as the 
world's most popular Java appli- 
cation server, Johnson hopes 
that the acquisition of Covalent 
will bolster SpringSource's ties 
to enterprise Java users in For- 
tune 500 companies. 

But the biggest and most 
important part of the acquisition 
is also Covalent's largest service 
and support offering: Tomcat. 
Mark Brewer, CEO of Covalent, 
said that Tomcat accounts for 
over half of all his company's ser- 
vice and support contracts. With 
IBM's WebSphere and BEA's 
WebLogic trailing behind Tom- 
cat in overall popularity, the 
acquisition of Covalent instantly 
makes SpringSource the center 
of the universe for almost two- 
thirds — 64 percent — of Java 
application server users, accord- 
ing to BZ Research. 

Covalent also sells enter- 
prise software on a subscription 
basis, though its offerings are 
packaged bundles of software, 
mostly from Apache. The com- 
pany's most popular software 
product has been the Enter- 
prise Ready Server, a bundle 
that includes the Apache Web 
server and Tomcat rolled into a 
ready- to-run package. 

Johnson said that these pack- 
ages, which include yearly sub- 
scriptions to service and support 
contracts, will likely be modified 
in the future to include Spring- 
Source components. 

SpringSource, on the other 
hand, will not be making signifi- 
cant changes to its lineup due to 
this acquisition. "We also will 
continue with the Spring portfo- 
lio of products," said Johnson. "It 
runs on any environment. It runs 
perfectly well without Tomcat. 



We're committed to ensuring 
that will continue to be the case." 

SPRINGING INTO TOMCAT 

Johnson said that the synergies 
created between Tomcat and 
Spring make this acquisition a 



perfect fit. He referenced a 
survey taken at a recent Spring 
conference which showed that 
93 percent of respondents 
using Spring were also run- 
ning Tomcat. 

"Covalent has an outstand- 



ing reputation and track record, 
both within the open-source 
community and among the 
hundreds of top organizations 
that rely on them for Apache 
project support," said Johnson. 
"The SpringSource and Cova- 



lent combination is poised to 
lead the industry's rapid migra- 
tion to simpler, more flexible 
application platforms." 

Both companies are still pri- 
vately held, and no financial 
details of the deal were dis- 
closed. Johnson did, however, 
state that he plans for Spring- 
Source to go public eventually. I 
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Open-Source Mashups? WS02 Says Yes, Please 

Mashup Server generates Web services, Ul artifacts from JavaScript 



BY DAVID WORTHINGTON 

The social enterprise trend has 
gone open source. WS02 has 
repurposed its Web Services 
Application Server so that it 
works with its service registry 
to enable enterprise mashups. 

The server, based on 
Apache Axis2 and licensed 
under the Apache License 2.0, 
delivers mashups as Web ser- 
vices that are reusable and gov- 
erned to meet the standards of 
a particular enterprise, via 
WS02 s Web services platform. 

WS02, an open-source 
SOA infrastructure software 
maker, released Mashup Serv- 
er 1.0 on Jan. 28. The server 
automatically generates Web 
services and UI artifacts from 
JavaScript text files that are 
placed in a virtual directory in 
its registry. REST endpoints, 
JavaScript stubs and WSDL 
simplify the construction of 
HTML and rich application 
interfaces, said Jonathan 
Marsh, director of mashup 
technologies at WS02. 



The registry is more than a 
repository for mashup code; it 
also enables functions such as 
comments, rating and tagging. 

The server processes and 
aggregates information for ser- 
vice content from a variety of 
sources, such as ATOM and 
RSS feeds, HTML and other 
Web services. Services are 
tagged with metadata so that 
other mashups or Web service 
clients can more easily con- 
sume them. 

The services are managed 
through a browser-based con- 
sole that provides access con- 
trol and permits multiple 
users, who can rate and tag 
services in a Web 2.0 manner 
influenced by social network- 
ing paradigms. 

While the mashup server is 
governable and has access con- 
trol built in, the larger WS02 
suite provides "higher level" 
governance, and the registry in 
particular, explained Redmonk 
analyst Michael Cote. 

"WS02 is building out this 



full suite, so we're just seeing 
pieces of it released," said 
Cote. "They hope that each is 
a viable piece of stand-alone 
middleware, and the whole is 
the more complete solution. 
Their mashup server fits into 
their overall platform, includ- 
ing the identity management 
component they have that 
goes toward making it possible 
to control access to data, track 
which identities are accessing 
data, and do other ongoing 
audit-centric stuff." 

HAVE IT YOUR WAY 

WS02's XML Web service 
model permits the separation 
of content and presentation 
logic. Marsh explained that 
each mashup is a service onto 
itself and that the content is 
not tied to any one user inter- 
face or form of service, as 
opposed to Google Maps, 
which is tied to an interface. 
The developer may choose any 
user interface for the mashup 
product — not only feeds or 



HTML pages, but also e-mail 
and instant-messaging clients, 
he added. 

Services may be set to exe- 
cute code periodically or run a 
task over a long time. "They 
can accomplish tasks that were 
the dream of those working on 
agent technology for a long 
time," Marsh said, noting that 
he created his own mashup 
that will send an SMS message 
to his cell phone when the 
temperature outside drops 
enough to produce a frost that 
would harm his lemon trees. 

The WS02 Mashup Server 
can run on a local machine to 
accomplish personal notifica- 
tion tasks, as well as scale to 
the enterprise. Mashups may 
be migrated, and the same 
installation that is on a laptop 
can be uploaded from a local 
machine to a team or enter- 
prise server, Marsh said. 

Indeed, the industry is 
entering another phase of 
SOA deployment, a more 
Web-like model, Marsh said. 



"The Web model is infiltrating 
and empowering enterprise," 
he added. "As more data is 
exposed as RSS and Web ser- 
vices, [social computing] is 
finding new users throughout 
the enterprise. The IT depart- 
ment's 'ten commandments' 
are giving way to a Web 2.0 
concept of trust, the personal 
reputation of individuals and 
teams within the enterprise." 

Redmonk's Cote explained 
that the WS02 mashup server 
is about data integration and 
helping people quickly throw 
together views of data flows. 

"There's lots of companies 
that are doing this sort of Web 
2.0 version of PowerBuilder, 
FileMaker, VB and Hyper- 
Card, to reach back to the pre- 
Web days," Cote said. 
"They're all building Web- 
based frameworks to let peo- 
ple quickly assemble applica- 
tions, but this time with the 
hopes of using more IT 
department- and governance- 
friendly back ends." I 
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IBM Rational Gives Makeover to System i 



BY JEFF FEINMAN 

IBM rolled out four tools to 
unbundle its Rational offerings 
and to help modernize develop- 
ment methods for System i. 

"We want to help our cus- 
tomers protect and grow their 



investments in System i, so the 
tools will be there to help them 
do that," said Scott Searle, IBM 
Rationale enterprise modern- 
ization marketing programs 
director. "Additionally if they 
want to modernize, the tool set 



will help them do that.' 

Searle said that IBM Ratio- 
nal has moved away from the 
WebSphere Development Stu- 
dio Client (WDSC) because 
customers had trouble finding 
the tools they needed within it. 



IBM's new offerings for System 
i make it less complex for cus- 
tomers; for instance, they can 
more easily use IBM's ILE 
RPG compiler, which works 
only on System i servers. Other 
compilers have been unbun- 
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died from WDSC in this 
lease as well. 

The first of the tools, Ratio- 
nal Developer for System i, was 
released Jan. 29 and is an 
Eclipse-based IDE for creating 
traditional i5/OS business 
applications. Customers can 
use other open-source tools 
with Rational Developer, which 
will allow them to edit, debug 
and compile RPG code. 

THE TARGET IS SOA 

IBM Rational plans to intro- 
duce more tools to help 
enhance System i — celebrating 
the 20th anniversary of its 
launch as AS/400 — in the near 
future. 

Slated for a March release 
is IBM Rational Business 
Developer, an Eclipse IDE for 
IBM's Enterprise Generation 
Language (EGL), which devel- 
opers can use to create and 
deliver Web applications and 
SOA solutions. EGL, intended 
specifically for System i, will 
let a user look at an application 
running on the system and fig- 
ure out what each of the com- 
ponents do. This ability, 
according to Searle, will 
improve connectivity between 
System i and distributed envi- 
ronments, while helping cus- 
tomers work out the behavior 
of poorly documented legacy 
applications. 

IBM Rational Developer 
for System i SOA Construc- 
tion, meanwhile, is a more 
advanced version of Rational 
Developer that will enable 
users to create Web services 
using RPG/COBOL programs 
or service programs. 

"This combines Rational 
Business Developer with the 
Rational Developer for System 
i, so it's a way to get the two 
together in an integrated way," 
Searle said. 

IBM Rational HATS (Host 
Access Transformation Services 
for 5250 applications), another 
upcoming tool, will help devel- 
opers extend terminal applica- 
tions to HTML and Web ser- 
vice clients for easy access by 
customers and business part- 
ners. According to Searle, 
HATS can take a green-screen 
application and quickly trans- 
late it into a more modern GUI, 
so that a user has pictures 
instead of lines of code. HATS 
can also prepare code to be pre- 
sented by the IBM WebSphere 
application server. I 
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Black Duck Wades Into Early Life Cycle 

Code Center aims to introduce proper guidance for due diligence 



BY ALEX HANDY 

For developers beginning pro- 
jects based on open-source 
building blocks, the legal issues 
can be just as vexing as the 
code. Building applications 
with Eclipse may be routine to 
navigate, but tapping open- 
source libraries for closed- 
source software that will run on 
an open-source database cre- 
ates a legal labyrinth. 

To ease the tracking and 
monitoring of all those pieces, 
Black Duck Software Inc. has 
created Code Center, a Web- 
based management system that 
can shoulder some of the bur- 
den developers assume from 
legal teams doing due diligence 
on new software projects. 

Addressing the concerns 
over monitoring the use of 
open-source software in enter- 
prise development processes, 
Code Center, released on Jan. 
28, is a Web-based open-source 
license information and man- 
agement site. Business analysts 
and development managers 
alike can create stacks of open- 
source software and associate 
them with internal projects. 
Then, when lawyers assess the 
building blocks of said applica- 
tion, Code Center can format 
reports detailing all of the 
licensing nitty-gritty involved. 

Black Duck CEO Doug Levin 
said, "We believe from practical 
experience that companies want 
to harness third-party and open- 
source components, because 
[doing so] lowers the cost of 
development. These require an 
approval process, and it's often 
very involved, using multiple 
people in multiple locations." 

MAKING PROCESS PROGRESS 

To meet the needs of far-flung 
development teams, Black 
Duck Code Center is Web- 
based. For US$50,000, enter- 
prises can buy a 25-user license 
and gain access to a system that 
can shepherd the approval 
process through any organiza- 
tion. Developers logged into 
Code Center can select the 
components they'll be using 
from Black Duck's catalog of 
open-source software. The 
licenses for those components 
then can be categorized and 
viewed by the legal team 
involved in approval. 

As development matures, 



projects can be added or sub- 
tracted from Code Center's 
listings. Developers will not 
have to maintain their own 



internal lists or 
compiling those 



spend time 
sticky legal 
details for the lawyers. 

For Black Duck, the goal is 



to be tapped earlier in the devel- 
opment cycle, said Levin. He 
added that Code Center could 
help when developers and busi- 



ness people are "seeking out 
meta-information about those 
components [they are using]." 

Levin said that Code Center 
could solve the approval pro- 
cess woes that may afflict soft- 
ware development teams. A 
pretty face on the process can 
let weekly meetings take a back 
seat to coding, he added. I 



Intellectuals solve problems. 
Geniuses prevent them. 



Albert F'irMi-iri 




"Solutions" that 

only Identify problems 

are simply not the solution. 



KTWrxcw EHJORCl IT 



' &S0CIRCE5: 
**" Bwt Prithee, 



THINK PREVENTION 
GET QUALITY 



::::PRQA 

# • # • Progf anvniiiig Research 



THE CODING STANDARD EXPERTS 



WWW PROGRAMMINGRGSEARCH COM 



12 



NEWS 



Software Development Times . February 15, 2008 . 



www.sdtimes.com 



NEWStBRIEFS 



, COMPANIES , 



Newmerix, a provider of enterprise application life-cycle change tools, 
has joined Microsoft's Startup Accelerator Program, which is 
designed to connect startups to a support network of Microsoft peo- 
ple and programs. Microsoft chooses program participants based on 
growth potential and strategic importance to the company and offers 
customized engagement plans to support software and market devel- 
opment efforts . . . Cynergy Systems, a specialist in rich Internet 
applications, has created Cynergy Labs, 
which gives developers a forum to commu- 
nicate with the company's management 
team. The first project that Cynergy Labs has produced is Maestro, 
which offers a multi-touch interface in a Microsoft Windows Presenta- 
tion Foundation application. 




NEW PRODUCTS 



Software-based file management provider GlobalSCAPE has 
released the GlobalSCAPE High Security-PCI tool for ensuring com- 
pliance with the PCI Data Security Standard. The tool enforces the 
use of secure protocols, helps organizations comply with data-stor- 
age requirements by using repository encryption, and enables admin- 
istrators to restrict certain IDs for access . . . Embarcadero Tech- 
nologies has released EA/Studio Community Edition, a free 
business process modeling tool. It supports XML and Business 
Process Modeling Notation, includes standard process modeling ele- 
ments and can import Visio diagrams. This marks Embarcadero's 
third database tool based on Eclipse . . . Vitria Technology, a spe- 
cialist in BPM tools, has introduced the M30 BPM suite. Included is 
Exception Manager, which can help automatically resolve process 
exceptions across the enterprise. It runs on J2EE platforms and 
offers business-level modeling, automated resolution and event-dri- 
ven process management capabilities. 



UPDATES 



. r Jj 



The openSUSE Linux distribution framework from Novell has added 
capabilities to build packages for the CentOS distributor and Red Hat 
Enterprise Linux. The framework already supports Debian, SUSE 
Linux Enterprise and Ubuntu . . . Version 4.0 of the K Desktop Envi- 
ronment was released, bringing a host of refinements to the popular 
Linux environment. Backed by the new Phonon multi- 
media framework, KDE's user-facing elements have 
been upgraded with new art and flashier graphics. 
Also included are the new Plasma shell, Dolphin file 
browser and a sleek desktop theme known as Oxygen 
. . . Programming tool company Desiderata Software 
has released version 2 of Jaxcent, a Java API for accessing and mod- 
ifying the Document Object Model (DOM) of Web browsers. Version 2 
of Jaxcent can be used for AJAX operations, and it runs on the Inter- 
net. The tool now runs on the server side and gives Java program- 
mers full control over the client's DOM hierarchy . . . Safety and mis- 
sion-critical application provider Aonix has released version 8.3 of 
ObjectAda for Sun's Solaris platforms. The release integrates Aonix's 
development toolkit, an Eclipse-based environment, into Object Ada 
and gives developers access to tools through the Eclipse framework. 
ObjectAda 8.3 also lets developers attach a new debugging facility to 
the application . . . Wyse Technology, a specialist in thin computing, 
has released Wyse X90L and X90Le, two new models for its mobile 
thin-client line. The tools, based on Microsoft Windows XP Embedded, 
offer Gigabit Ethernet, VGA and DVI display outputs, plus an inte- 
grated smart card reader. 



PEOPLE 



Greg Lupion has joined BZ Media's SD Times as manag- 
ing editor. Lupion had been executive editor of operations 
for EE Times, where he spent 17 years, before joining SD 
Times. Previously, he was the wire copy editor for the 




Paterson News in New Jersey. I 
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Mule's Galaxy on a Quest 
For Ooen-Source Governance 



BY DAVID WORTHINGTON 

Governance is increasingly 
important to large-scale SO A, 
but robust solutions tend to be 
costly. Mule Source aims to turn 
that around with a new open- 
source platform called Mule 
Galaxy 

Dave Rosenberg, CEO of the 
open-source SOA infrastructure 
vendor, described Galaxy as "an 
open-source Systinet," referring 
to HP's SOA governance solu- 
tion. He said that Galaxy, made 
generally available last month, is 
competitive on price because its 
open source. 

Jason Bloomberg, managing 
partner with analyst firm Zap- 
Think, said that the absence of 
an open-source SOA governance 
product was a hole in the market 
and that Mule's entry is well- 
timed. "Galaxy will give HP 
Systinet and Software AG Cen- 
traSite a run for their money 
eventually," he said, noting that 
while Systinet and CentraSite 
are mature, enterprise-class 
products, Galaxy is at version 1.0. 

"As a result, we wouldn't 
expect Galaxy to have much of 
an effect on the market for a year 
or two," Bloomberg added. "And 
while Galaxy matures, the com- 
mercial vendors will also be 
moving ahead, continually 
improving their products, so the 
eventual size of Mule Galaxy's 
market share is up for grabs." 

Galaxy is part of a broader 
rollout of the Mule Enterprise 



Service Bus, which is accompa- 
nied by a beta release of Mule 
Saturn 1.0, a monitoring tool for 
business processes. 

Galaxy is complemented by 
a registry and repository to 
store and manage SOA arti- 
facts, dependency manage- 
ment and lifecycle manage- 
ment, and querying and 
indexing capabilities. Managed 
through a Web console, the 
platform is designed to inte- 
grate with multiple frame- 
works, such as Apache CXF, 
Microsoft's Windows Commu- 
nication Foundation (formerly 
known as Indigo) and Mule. 

Galaxy can be deployed 
alongside the Mule E SB or as a 
stand-alone component of any 
SOA infrastructure. The plat- 
form is extensible to allow cus- 
tomers to deploy custom policy 
types and has out-of-the-box 
support for Mule configura- 
tions and WSDL. 

While the Mule Community 
Edition ESB remains freely 
available for all users, Mule- 
Source has begun to offer a new 
subscription-only version of its 
ESB, Mule 1.5 Enterprise Edi- 
tion, that provides pre-integrat- 
ed infrastructure components, 
data and patch management 
tools, and monitoring capabili- 
ties. Technical support services 
are part of the subscription. 

Rosenberg said that Mule- 
Source was catering to an 
increasingly "Fortune 1000" user 



base and that the new ESB offer- 
ing was better suited for mission- 
critical scenarios. But the For- 
tune 1000 connection does not 
imply that the Mule ESB costs a 
fortune. He added that open- 
source solutions make SOA "less 
of a rich man's sport." 

DRIVING OPEN-SOURCE SOA 

"Interest in open-source SOA 
infrastructure is growing rapidly 
because of the increasing use of 
SOA in general, the spread of 
proprietary ESBs, and the low 
cost of open-source ESBs, which 
have the potential to reduce soft- 
ware costs and enhance vendor 
independence, especially where 
other open-source components 
are used," Roy Schulte, a vice 
president and distinguished ana- 
lyst at Gartner, said in a prepared 
statement. 

The Mule ESB can be ex- 
tended with real-time transac- 
tion monitoring and logging for 
subscribers only. Mule Saturn 
1.0 is a beta version of a busi- 
ness activity- monitoring tool 
that offers process flow visual- 
ization and transactional data 
monitoring across the SOA 
infrastructure. 

Saturn has facilities for busi- 
ness users to view workflow and 
state; drill-down and root-cause 
analysis; process visualization, 
including parent/child and sub- 
process analysis; searching on 
transactions; and reporting on 
service-level agreements. I 
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The Galaxy console can be used to store and manage the artifacts in a service-oriented architecture. 



Model. Manage. Monitor. Optimize, 



M3O 



Now Business Analysts Can Model and Execute 
Business Processes Directly in a Web 2.0 Environment 



Your business analyst understands the processes 
needed to execute your business objectives. Today, 
analysts describe these processes in a document 
and hand it off to IT for implementation. Several 
iterations occur before IT can actually model and 
execute the entire process. 



M3O solves this problem by giving the business 
analyst the ability to model and execute directly 
saving time and money. The rich Web 2.0 interface 
and shared Model and Knowledge Repository 
enable true collaboration between business and IT. 



To learn more about how IW3O can help you achieve true business agility, 
contact Vitria Technology by calling +1 -408-21 2-2700, or by emailing info@vitria.com. 



www.vitria.com 
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Klocwork Brings Source Code Analysis to the Developer 

An IDE-based plug-in removes downstream organizations from the workflow 



BY DAVID WORTHINGTON 

Source code analysis has typi- 
cally been a "downstream" 
activity that takes place after 
the code is written. Klocwork 



believes that it has a better 
solution to SCA: namely, inte- 
grating it into the IDE to pre- 
vent developers from checking 
in faulty code. 



Klocwork released its 
newest family member, the 
Insight static analysis tool, on 
Jan. 28. Insight works with 
widely used editors and IDEs, 



including Eclipse, GNU Emacs, 
JetBrains IntelliJ IDEA, 
Microsoft Visual Studio, vi and 
Wind River. Other notable 
changes include a new high- 
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level declarative language 
that customizes checkers and 
updated Java analysis capa- 
bilities. 

Gwyn Fisher, Klocwork's 
chief technology officer, claims 
that having downstream orga- 
nizations perform source code 
analysis instills unnatural cul- 
tural barriers, thereby creating 
a broken workflow and inciting 
a negative connotation. Per- 
mitting developers to check in 
code that doesn't work makes 
software more expensive, he 
explained. 

DETECT PROBLEMS EARLIER 

"Software developers today fix 
quality issues in code well 
after they originally write it, 
because source code analysis 
typically happens late in the 
development cycle," said Vish- 
wanath Venugopalan, enter- 
prise software analyst at The 
451 Group. "By injecting 
insight about issues identified 
at the system level into the 
developer's workspace, Kloc- 
work Insight saves developers 
an additional step and makes it 
more likely that quality issues 
are identified as code is being 
written." 

Venugopalan added that 
developers are likely to heed a 
tool that funnels relevant infor- 
mation into the IDE. 

Insight's declarative lan- 
guage is based on XPath and 
customizes the analysis of C, 
C++ and Java codebases, said 
Fisher. "They can model what 
they want to go look for." 

Its Java code analysis is no 
longer an adjunct to the com- 
piler. Fisher explained that Java 
compilers have begun to intro- 
duce "noise" through their indi- 
vidually unique optimizations, 
making analysis "viciously com- 
plicated." Insight now analyzes 
Java source rather than byte- 
level code, and uses Klocwork's 
own compiler. 

"There is more rich concep- 
tual information in source code 
versus byte code. We have the 
ability to add checkers and ana- 
lyze all of Java, not just the core 
language," Fisher said, adding 
that Insight works with 12 Java 
frameworks, including Hiber- 
nate and Java ME. 

Insight is available either as 
a stand-alone version for Java or 
as an integrated edition for C, 
C++ and Java. I 
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AccuRev Configures With ClearCase 



BY JEFF FEINMAN 

Attempting to create what it 
calls a faster, less complex soft- 
ware configuration management 
alternative to IBM's Rational 
ClearCase, AccuRev released 
version 4.6 of its namesake tool 
for ClearCase. 

Announced last month, the 
tool allows parallel and agile 
development with AccuRev in 
ClearCase environments. The 
company says the tool allows 
adoption of AccuRev through 
real-time bi-directional synchro- 
nization, sans rework or porting. 

AccuRev officials said that 
ClearCase has not kept up with 
today's development needs, 
including agile, globally distrib- 
uted and parallel programming 
methods. The very high cost of 
ownership and maintenance for 
ClearCase doesn't mesh well 
onto new business environ- 
ments, where speedy develop- 
ment is key, they add. 

David Jabs, vice president 
of engineering for AccuRev, 
said that ClearCase was built 
on a model where parallel 
development consisted of two 
separate releases, and there 
might be hundreds of those 
stages over time. 

"What happens today, of 
course, is that people are a lot 
more flexible in their relation- 
ships for development," Jabs 
said. "There's a lot more paral- 
lel activities that people want to 
accomplish, and they find that 
their old tools can't deliver 
them, because they weren't 
designed to deliver them." 

Jabs added that the changing 
ClearCase models can be costly. 

SOMEWHERE IN BETWEEN 

Ashok Reddy, director of offer- 
ing management for IBM Ratio- 
nal, countered by saying that 
ClearCase's ability to support 
highly scalable, parallel develop- 
ment with a repeatable process 
is well known with many suc- 
cessful customer deployments. 

"Our customers who are 
adopting agile development are 
looking for guidance on how to 
implement agile software prac- 
tices for large scale develop- 
ment efforts," Reddy said. 
"IBM Rational has responded 
to this need by delivering sup- 
port for continuous build inte- 
gration with Rational Build 
Forge and Rational ClearCase, 
facilitating test driven develop- 
ment by integrating test man- 
agement with Rational Clear- 



Quest and by providing agile 
best practices and services 
designed to assist customers in 
implementing agile develop- 
ment for large scale develop- 
ment efforts." 

Jeffrey Hammond, a senior 



analyst with Forrester 
Research, said the truth lies 
somewhere in between. "With 
ClearCase, there are two ways 
to set it up," he said. "You can 
choose to use unified change 
management, which is the 



process that's more or less 
embedded and hard-coded in 
ClearCase as an out-of-the-box 
workflow. As long as you're will- 
ing to use that, it can support 
geographically distributed 
teams, do parallel releases, and 



it's not too difficult to get it run- 
ning and administered. If you 
want to do things that are out- 
side of that model, then you 
essentially have to drop back to 
base ClearCase, and when that 
happens, there's a lot of script- 
ing . . . and you have to be very 
knowledgeable about the way 
ClearCase works." I 
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EJB's Path to Browser Takes Shape 

JSR 299 for Web Beans spec fosters loose coupling, strong typing 



BY ALEX HANDY 

If the committee designing JSR 299 has 
one goal, it's simplicity. Java Specification 
Request 299, also known as Web Beans, 
is designed to bring Enterprise Java 
Beans into the world of the browser with- 
out the incongruities of JavaServer Faces. 
The result is expected to 
be a unified component 
model for EJB and JSF, 
easing the building of 
Web applications backed 
by the heavyweight Java 
infrastructure. 

Gavin King, founder 



The Road to Java EE 6 
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JSR 299: Wet Beans 



One of King's gripes about the Java 
EE stack is that many of the compo- 
nents needed to build usable Web appli- 
cations don't behave in similar ways. JSF 
requires a different set of commands 
and instructions than standard Java, 
while Java Portlets require configuration 
and care to get going. 
Those factors translate 
into lost developer pro- 
ductivity, which can 
make alternative Web 
frameworks and lan- 




guages, such as Ruby on 
Rails and PHP, seem 
of the Hibernate (Java-based object- more attractive than Java. 



An Occasional Series 



relational mapping/persistence frame- 
work) project and specification lead on 
JSR 299, explained that JSF and Java EE 
in general still need work. 

"EE needs to be trimmed down a 
bit," he noted. "There are technologies 
that are part of the EE platform that are 
really not needed and are not pulling 
their weight. There are a number of 
specs where visibility still needs to be 
simplified. The servlets specification 
needs to be simplified. JSF really needs 
some major improvements." 



For that reason, King has been build- 
ing Seam at JBoss, a framework that 
aims to let Java developers write simple, 
standard Java code and to have the 
framework handle all of the custom JSF, 
Portlet and AJAX calls. 

JSR 299's improvements will be coor- 
dinated with other JSRs, particularly 
314, covering JavaServer Faces 2.0. 

THE THEME IS THE SEAM 

"The theme of [JSR 299] is the idea of 
loose coupling with strong typing," King 
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said. "We want to provide a component 
model, which provides for loosely cou- 
pled, very maintainable code. I guess the 
real point is that 



'There are technologies 
that are part of the EE 
platform that are really 
not needed and are not 
pulling their weight/ 



—Gavin King, lead on the 
JSR 299 team 



Web Beans lets you 
use EJB very easily 
from inside the 
user interface of 
your application." 

Because King's 
day job at Red 
Hat's Middleware 
division has in- 
cluded much work 
on Seam, the 
lessons King has 

learned from that project may leak into 
JSR 299. Seam's overarching goal is to 
hide the complexity involved in building 
Web applications backed by enterprise 
Java from both the developer and the 
business user. 

"Seam is very much focused on the 
idea of contextual state management," 
King said. "It has a contextual compo- 
nent model where components have a 
managed life cycle. It's very big on the 
idea of conversations, and it's also where 
the idea of this deep integration into the 



c*> 




Web layer of EE is coming from." 

For now, the specification remains on 
the drawing board. As the other specifi- 
cations that will form Java EE 6 begin to 
take shape as well, so too will JSR 299. 
King expects to have a beta reference 
implementation of the code available 
before the end of 2008. I 



Rules for M\ 3.0 Works With 
Visual Studio, Office 2007 

ILOG deepens partnership with Microsoft 



BY DAVID WORTHINGTON 

ILOG's business rules management sys- 
tem for .NET now works with Office 
2007, Visual Studio and .NET Frame- 
work 3.0, the company said. 

The announcement comes about 
two months after ILOG joined 
Microsoft's Business Process Alliance 
program. 

ILOG Rules for .NET 3.0, released 
Jan. 22, allows business users to edit 
and manage business rules in Excel 
and Word 2007, through a tab in the 
Office ribbon toolbar. Working with 
SharePoint Services, the system lets 
users collaborate on rules as Share- 
Point Web Parts. 

Rule Studio for .NET, the compo- 
nent that works with Visual Studio 
2005, has been re-engineered with a 
new rule editor, said Chris Berg, Rules 
for .NET product manager. The new 
rules editor has features similar to 
Microsoft's Intellisense technology; 
they have been customized for rule 
editing and termed "IntelliRule" by 
ILOG. 

ILOG Rules for .NET also supports 



the Windows Communication Founda- 
tion (WCF), attempting to make it eas- 
ier to deploy rules in an SOA environ- 
ment. Developers are able to publish 
decisions from within Visual Studio or 
using Microsoft's MS Build platform. 
Those decisions can be shared across 
deployed applications, managed cen- 
trally, and monitored using tools from 
the Microsoft stack, including Perf- 
Mon (Performance Monitor) and the 
windows event log. 

MEETS MONITORING REQUIREMENTS 

Berg explained further in an e-mail: 
"The solution includes support for built- 
in WCF PerfMon counters and several 
decision-level counters for a wide range 
of monitoring requirements." 

ILOG joined the Business Process 
Alliance Dec. 3. The alliance is a 
Microsoft initiative to make BPM tools 
more broadly available on its plat- 
forms. One perk of membership is 
technical assistance from Microsoft. 
Berg said that Microsoft's assistance 
helped it integrate with many different 
areas across its platforms. I 
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.INFRASTRUCTURE LOG 

_DAY 72: We wrote our software but didn't build it to fit 
with the broader IT architecture requirements. Now we 
don't have the flexibility to reuse our assets. We're not 
moving forward. Why did we lock ourselves in like this? 

_I never knew being stuck at work could be so literal. 

_DAY 73: Here's something less confining. IBM Rational unifies 
all aspects of our SOA software design and development. 
Now we can ensure global architecture integrity using a 
new, simpler, modular systems development approach. And 
we're speeding our results with sound architectural design 
and automated service delivery and maintenance. 

_l'm glad we're free. Was never sure where to put "stuck 
to my coffee cup" on my time sheet. 
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Java Isn't Garbage for Event Processing 



BY ALEX HANDY 

When it comes to speed, 
there's no competing with 
native languages. But Java's tra- 
ditional Achilles heel, garbage 
collection, is becoming less and 
less of an issue as applications 



servers step up and take on the 
challenges of complex event 
processing. Such was the expe- 
rience of one group of consul- 
tants who are impressed with 
BE A Systems Inc.'s WebLogic 
Real Time Edition and its 



WebLogic Event Server. 

Lab49 is a software develop- 
ment consulting firm based in 
New York and London. Ross 
Hamilton, of Lab49, said that 
the company primarily deals 
with financial institutions. While 



Java may have previously been 
shunned as a language for build- 
ing actual trading programs, he 
said that his company's work 
with BEA has demonstrated 
that the language can be run fast 
enough to meet the demands 
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of this difficult market. 

"They've got their runtime 
server able to control the profile 
and see where the bottlenecks 
are all the way down," said 
Hamilton of BE As WebLogic 
Event Server. "From a develop- 
er standpoint, what they've real- 
ly done is strip down the 
WebLogic J2EE server to a 
lighter- weight Java container." 

With the many new Java 
environments capable of run- 
ning complex event-processing 
engines, Hamilton said that the 
biggest hurdle for development 
teams is now modeling. "You 
really need to think about how 
you model events and how they 
pass through various event 
processors," he added. "You 
have to think about how you 
can change and optimize the 
event-processing network to 
handle things like scalability 
and synchronization. That's a 
big deal because, quite often, 
there are certain complex busi- 
ness processes dependent on 
the states in the models. You 
need to be careful how these 
events are synchronized." 

CEP FOR YOU AND ME 

The key to a successful CEP 
installation, said Hamilton, is a 
proper grasp of what's going 
into the system. "I think one of 
the key things is to have a well- 
normalized model of the data 
flowing into it. You need a real- 
ly good definition of events," he 
explained. "If you're starting off 
having a good clean model of 
that, you're going to set yourself 
up really well. You're going to 
understand the flow through 
changes of state." 

For the future of CEP, 
Hamilton said, the biggest chal- 
lenge for framework and engine 
makers would be scalability and 
applicability. 

"I think within CEP, gener- 
ally, you have to understand 
where it should be applied 
[and] where it should not be 
applied as well," Hamilton said. 
"It wouldn't necessarily make a 
great HR system. In the bigger 
picture, one of the things you 
need to look at is: How do you 
scale these systems logically 
and physically? I think over the 
next year, you're going to see 
convergence between CEP 
platforms and high-perfor- 
mance computing paradigms. 
[This could include the] inte- 
gration of CEP engines with 
distributed caches." I 
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.NET Source Code Released 

Users of Visual Studio 2008 may now 
browse and debug the framework 



BY DAVID WORTHINGTON 

Microsoft Corp. has made good on its 
promise to release portions of the .NET 
Framework source code and to enable 
debugging support in Visual Studio 2008. 
The company modified its licensing terms 
in response to concerns raised by the 
open-source community when Microsoft 
announced its intentions in October. 

Scott Guthrie, the general manager 
of Microsoft's Developer Division, 
announced last month in his blog that 
the code was generally available. 
Libraries are included for the .NET 
Base Class Libraries, ADO.NET, 
ASP.NET, Windows Forms, Windows 
Presentation Foundation and XML. 

Guthrie wrote that additional frame- 
work libraries, including Language 
Integrated Query (LINQ), Windows 
Communication Foundation (WCF) 
and Workflow, would become available 
at a later date. Although Visual Studio 
2008's official launch is set for Feb. 27, 
it was distributed to MSDN subscribers 
in late November. 

The .NET Framework source is 
licensed under the read-only reference 



license, the most restrictive of the com- 
pany's Shared Source licenses. 

Members of the open-source com- 
munity have expressed concerns about 
the legal implications of viewing the 
code. Notably, Mono project head 
Miguel de Icaza publicly stated that con- 
tributors would not be using Visual Stu- 
dio's new debugging features. Mono 
produces an open-source variant of the 
Common Language Infrastructure stan- 
dard that works with Microsoft's .NET 
implementation. 

In response to those concerns, 
Microsoft updated the reference license. 
The updated license does not apply to 
developers creating non- Windows soft- 
ware that has "the same or substantially 
the same features or functionality" as the 
.NET Framework, according to the text 
of the license. Microsoft has published 
detailed instructions on its MSDN Web 
site explaining how to enable .NET 
Framework source code access. Devel- 
oper comments are included in the 
source code, and some comments have 
supplementary history about Microsoft's 
code decisions. I 
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IE 8.0's Compatibility Mixed at Best 



BY DAVID WORTHINGTON 

In December, an early build of 
Internet Explorer 8.0 properly 
executed the Acid2 rendering 
test, but Microsoft has since 
revealed it will implement 
three rendering modes. Ironi- 
cally, release 8 s default render- 
ing will not pass the test. 

If a Web developer wants 
full standards support in Inter- 
net Explorer 8, that person 
must "opt in" by inserting a 
meta element into the page 
code. The default rendering is 
called "standards mode" despite 
its inability to pass Acid2, and its 
support for W3C standards 
remains the same as in Internet 
Explorer 7. A "quirks mode" in 
version 8 will maintain compati- 
bility with Web sites that had 
been optimized for the brows- 
er's peculiarities. 

Chris Wilson, Internet 
Explorer platform architect, 
wrote an entry on Microsoft's 
IEBlog revealing that the com- 
pany worked with the Web Stan- 
dards Project to determine the 
best way going forward. 

Barcodes And 
Fractions in New 
Component 

BY DAVID WORTHINGTON 

FarPoint Technologies released 
version 4.0 of its FarPoint 
Spread for Windows Forms 
spreadsheet component on Jan. 
22. It boasts support for more 
APIs, allowing developers to 
customize the control, cell 
types, and import and export 
options, as well as offering UI 
enhancements. 

According to FarPoint, new 
cell types include one that pro- 
vides the choice of 10 barcode 
types and another that allows 
fractions. The component can 
now import and export data in 
Office Open XML and PDF 
formats, as well as import and 
export bitmap images in XLS- 
formatted Excel documents. 

Developers may export a 
view-driven version of data to 
Excel and import and export a 
validation list to Excel. Both 
Visual Studio 2005 and 2008 
are supported with this release 
of Spread. 

A formula bar with range 
selection support has been 
added to this version, as well as 
new cell note customizations 
and enhanced text rendering. I 



Microsoft decided both to sup- forcing them to follow "shortcomings and outright content and stylesheets they 



port current standards and 
maintain backward compatibili- 
ty with existing content. The 
model permits developers to 
select standards behavior on 
their own timeline, instead of 



Microsoft's, Wilson said. 

He explained that the com- 
pany was surprised when many 
developers expected IE7 to 
work like IE6. Developers had 
worked around the latter's 



errors" and expected Microsoft 
to maintain its quirks, even in 
IE7's standards mode. 

"In many cases, these sites 
would have worked better if 
they had served IE7 the same 



were serving when visited with 
a non-IE browser," Wilson 
wrote. "Unfortunately, that did 
not happen." He added that 
IE8 would not introduce new 
compatibility problems. I 
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ISVs Urged to Beef Up Software Security 



< continued from page 1 

and tested earlier in the devel- 
opment process.) 

HARD TO POINT THE FINGER 

Commercial software develop- 
ers aren't held accountable for 



defects in the same way makers 
of small appliances, for example, 
would be. To some extent, that is 
justified. "Individual software 
components [licensed from an 
ISV] may be safe," said Fortify s 
Chess. "But did you configure 



them in a secure manner? No 
software maker can anticipate all 
the ways code will be used." 

What's more, commercial 
applications, such as those 
licensed from Oracle or SAP, 
tend to include vast of amounts 



of customized code, written to 
connect those applications to 
the customers' databases and 
other software, said Jack 
Danahy, founder and CTO of 
application security toolmaker 
Ounce Labs. "So it's hard to 
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point the finger and say the 
ISVs code is the root cause [of 
a security flaw]." 

Still, commercial software 
developers should be held to a 
higher standard, said Gwyn 
Fisher, CTO of application 
security toolmaker Klocwork. 
"We all want products that 
can't be attacked, and the indi- 
viduals [writing the software] 
have to take on the responsibil- 
ity for that." 

Applying pressure on com- 
mercial software makers to fix 
security flaws is a good strategy 
because it leads to better soft- 
ware. Microsoft would not have 
worked so hard to address the 
security flaws in Windows if the 
problems hadn't been discussed 
publicly, he said. "That is the 
beautiful thing about vulnera- 
bilities. People start talking 
about them, and public advoca- 
cy comes to the fore." 

Competition works even 
better, said Caleb Sima, chief 
technologist of the application 
security division of HP Soft- 
ware and formerly founder and 
CTO of SPI Dynamics, 
acquired by HP last year. The 
open-source browser Firefox 
gained traction by positioning 
itself as more secure than 
Microsoft's Internet Explorer. 
"That forced Microsoft to pay 
attention." In reality, Firefox is 
not necessarily more secure 
than Internet Explorer, he 
added. "What is true is that 
hackers don't target it as much." 

Fortify's Chess said that IT 
professionals should ask for evi- 
dence upfront, before licensing 
ISV offerings. "Make the vendor 
prove that security measures 
have been taken." And if a flaw 
is uncovered later, expect the 
software vendor to work with 
you. "If they don't respond, you 
can publicly embarrass them," 
he added. "It's sophomoric, but 
it's understandable." I 
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Visual WebGui Has 
Window to AJAX 

Israeli firm tries to simplify development 



BY JEFF FEINMAN 

An Israeli startup, Visual WebGui, has 
launched a namesake AJAX tool that the 
company says will unleash desktop 
development without the need to master 
the underlying Web technologies. 

The application development and 
deployment tool targets users familiar 
with Windows Forms. "All the Visual Stu- 
dio or Windows Forms documentation is 
basically the same for WebGui," said 
Navot Peled, CEO of the Tel Aviv-based 
company founded in July 2007. "There- 
fore, there is nothing new to learn." 

SOLVING THE SETBACKS 

Peled explained that he and his son, Guy 
Peled, the company's CTO, created the 
Visual WebGui tool "out of frustration," 
as they tried to overcome development 
setbacks and the complexities associated 
with AJAX, by giving developers a rapid 
application development tool. 

The Microsoft-only product can be 
used on the .NET Framework. It is 
installed locally and enables Windows-like 
desktop development. According to 
Navot Peled, it offers optimized commu- 
nication between the server and the 
client, and is the only framework that lets 
developers work as if they're using a full- 
blown desktop application without having 
to master the Web technologies. 

Navot Peled believes that the frame- 
work's empty client addresses at least 
one shortcoming he sees in AJAX: the 
ability of attackers to modify client code. 

Jeffrey Hammond, a senior analyst 
with Forrester Research, explained that 
if developers assume the client is trust- 
ed, it could be open to attacks if neither 
client nor server is validated. Navot 



Peled claimed that Visual WebGui is 
immune to problems such as leaving 
data in memory on the client. The client, 
he noted, displays the state of the serv- 
er on the client, behaving as a mirror of 
the server. Visual WebGui passes meta- 
data between the client and the server, 
with nothing else going back and forth. 

The Visual WebGui SDK will be 
enabled for Microsoft Silverlight devel- 
opment, and Navot Peled said that the 
company would be the first framework 
that allows such a wide enterprise devel- 
opment of Silverlight. 

REMEMBER THE MAINFRAME 

"If you remember the mainframe of 10 
to 15 years ago, which was serving big 
enterprises or systems before the Web 
era, this is the structure," Navot Peled 
said. "What we're doing is putting the 
mainframe structure on the Web." 

The company was founded when Guy, 
a 32-year-old programmer and former 
chief architect of business process man- 
agement provider Israeli FileNet (IFN), 
started work on the tool three years ago. 
After consulting with his father, Navot, 
who had marketing experience in the soft- 
ware industry, the two held a soft launch 
in mid-2007. There have been 150,000 
downloads of the tool, which was official- 
ly launched Jan. 24, the company said. 

Though Visual WebGui is free and 
open source, the company expects to 
form development partnerships, as it has 
done with Microsoft and SAP, and plans 
to offer enterprise dedicated controls 
and components and plug-in support. 

The Visual WebGui DLL and SDK 
are available for download on the com- 
pany site. I 
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Visual WebGui caters to developers familiar with Windows Forms in creating AJAX applications. 
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SmartDraw 2008.2's ImageCharts enables the display of pictures instead of bars or lines. 

SmartDraw.com Flexes Charts 



BY JEFF FEINMAN 

Business graphics software creator 
SmartDraw.com is giving users more 
flexibility to customize charts and graphs 
by adding an express charting feature to 
SmartDraw 2008.2, a tool that auto- 
mates the creation of business graphics. 

SmartDraw 2008.2, released in mid- 
January, has new charting controls with- 
in Express Charts, company officials 
said. Express Charts, introduced in the 
initial release of SmartDraw 2008 in 
September, allows chart and graph cre- 
ation without a supporting spreadsheet. 
The enhancements allow users to alter 
the granularity of a chart and change 
where and how the legend is displayed. 

"One of the nice features about 
Express Charting is that you can apply the 
image as a fill, and users have the ability to 
assign a value to each image," said Joshua 
Piatt, director of product marketing for 



SmartDraw.com. "The images can be 
stacked, stretched and scaled differently. 
It gives you more control over how the 
chart looks." 

The softwares ImageCharts feature, 
which uses pictures and images instead of 
bars or lines — for instance, a chart show- 
ing bottled water sales can display differ- 
ent sized bottles on a graph — has also 
been updated. Users can tell SmartDraw 
exactly how many images they want 
repeated in each chart section, or an 
image can represent a precise number. 

The tool now has 1,000 new symbols 
and more than 100 SmartTemplates to 
help users manage and run their business- 
es, according to the company. Piatt said 
that many of the new symbols represent 
Cisco Systems products, in the form of 
routers and network devices. In addition, 
new keyboard shortcuts can be accessed 
by a Keytips menu. I 



CROSS-PLATFORM PUSH IN TROLLTECH DEAL 



< continued from page 1 

less of the operating system," said Juha 
Seppa, Nokia's director of devices and 
R&D. "What Nokia is trying to do here is 
accelerate our software strategy. This 
acquisition is all about . . . establishing that 
cross-platform capability. That will enable 
a wide range of innovation when develop- 
ers can implement their applications 
across many devices." 

Yet, the acquisition brings its own 
challenges for Nokia. First, many of the 
company's phones now run the Symbian 
operating system, which is not support- 
ed in the Qt cross-platform road map. 
But, as Haavard Nord, CEO and 
founder of Trolltech, pointed out, "By 
nature, Qt is cross-platform. It runs on 
the stock operating systems, it runs on 
embedded Linux. We are working on 
Windows CE and Windows Mobile sup- 
port. It is also possible to port the tech- 
nology to the Symbian operating system. 
I assume this will be a natural step." 

Another potential hurdle is the Nokia 



Internet Tablet, a handheld Linux-based 
wireless computer now in its third public 
revision. Nokia's Internet Tablet current- 
ly uses Maemo, a Gnome-based environ- 
ment. But in the world of Linux, Troll- 
tech's Qt/KDE environment competes 
with Gnome for "most popular Linux 
desktop environment." 

Nord's plans for Qt and Qtopia, how- 
ever, will remain in line with Trolltech's 
founding ideals: make development easi- 
er in fragmented environments. "One of 
the things developers are struggling with 
is that there's an increasing fragmenta- 
tion in devices and operating systems. Qt 
... is a way for developers to cope with 
this fragmentation," said Nord. 

As for the Scandinavian connection, 
Seppa acknowledges that the deal was at 
least partially motivated by the similarities 
of the companies' Nordic roots. 

The acquisition is expected to be com- 
pleted in the second quarter of 2008, 
pending goverment and shareholder 
approvals. I 
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LI NX for Linux Eases 
Upgrade to Protocol 



BY P.J. CONNOLLY 

Swedish networking soft- 
ware and service provider 
Enea last month shipped 
a new version of its LINX 
for Linux interprocess 
communication service. 

LINX for Linux 2.0, 
which can negotiate fea- 
tures as well as protocols, 
is aimed at smoothing the 
upgrade of system subsets 
with newer protocol ver- 
sions while maintaining 
compatibility with other 
system components out- 
side the upgrades scope. 

Previously, upgrading 
the basic communications 
protocol in a deployed system had been 
difficult, noted Enea product manage- 
ment director Michael Christofferson in 




Christofferson says subsystems 
can be added to comms protocol 
without compatibility woes. 



a prepared statement. But 
the new feature set "en- 
ables new subsystems to 
be added to an existing 
system" without protocol 
compatibility concerns, he 
added. 

Essentially, nodes in a 
LINX-based distributed 
system negotiate the lowest 
common denominators of 
their feature sets and pro- 
tocols. The company said 
that in the latest release, 
LINX offers 20 percent 
better performance than 
TIPC, the Ericsson-devel- 
oped Transparent Inter- 
process Communication 
protocol that is now open source. 

In addition, Enea has launched a cus- 
tomer support center. I 



Mobile VoIP Gets a New Face 

Software for Windows Mobile, PocketPC 2003 



BY P.J. CONNOLLY 

To some, combining Internet telephony 
and mobile handsets promises liberation 
from the high cost of international dialing. 

Raketu Communications is jumping 
on the mobile VoIP bandwagon, with a 
beta version of its VoIP communications 
software, designed for native operation 
on Windows Mobile devices, the compa- 
ny said late last month. 

The software works with handsets 
meeting the requirements for PocketPC 
2003 and Windows Mobile 5 and 6, let- 
ting users make low-cost and free calls 
around the globe. Free calling zones 
exist in 42 countries, according to the 



company, including Brazil, Canada, Chi- 
na, Europe, Japan, the United Kingdom 
and the Unites States. 

"Increasingly, our users who have Win- 
dows Mobile smart phones have been 
requesting that Raketu run native on their 
handsets," Raketu president Greg Parker 
said. That would avert the steep fees some 
carriers charge for international calls. 

The company has extended its pre- 
paid VoIP services to cover the new plat- 
form, with 1,200 minutes included in the 
basic package. Mobile customers can 
use the service to connect to both land- 
line and mobile phones, as well as use e- 
mail, instant messaging and SMS. I 



M-BUSINESS ANYWHERE GETS A RELOAD 



BY P.J. CONNOLLY 

Developers seeking to improve GPS 
integration with mobile applications may 
have a new arrow in the quiver, thanks to 
Sybase. 

Sybase iAnywhere s Information Any- 
where suite got a tune-up last month: 
new menu customization, expanded 
platform support and enhancements to 
the Mobile Inspection Toolkit. 

The M -Business Anywhere compo- 
nent for application enablement, which 
supported Palm, Windows Mobile 5 and 
Win32 platforms, now also runs on Sym- 
bian Series 60 (third edition), Windows 
Mobile 6 and Windows Vista desktop 
and tablet editions. 

Flash I/O access was added "to our 
existing support for Windows Mobile 
5," said Yadong Liu, senior product 



manager with Sybase iAnywhere. 

M-Business Anywhere 6.7 lets devel- 
opers tailor the client user interface on a 
device using JavaScript, providing "a 
more dynamic user experience," Liu said. 

The Mobile Inspection Toolkit, for 
field inspection and survey applications, 
now offers camera and GPS synchro- 
nization, in both PDAs and laptops. 

Liu called the kit "a forms builder for 
the mobile inspection [and] field survey 
market. It includes out-of-the-box 
inspection workflow management and . . . 
a dashboard where you can administer 
the forms building [process] and the 
inspectors and also view the analytics and 
the reporting side." The kit also permits 
adding GPS information and photos to 
survey results and provides integrated 
tracking of an inspector s position. I 
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Sun SPOTs, now open source from the specification up, have been hacked and modified into 
everything from a glove-like remote controller to a hamster-ball robot brain. 

Sun SPOTs See Java 
Pervade Mobile, Embedded 



< continued from page 1 

mable Object Technology — sheds light 
on what Sun's embedded gurus see as 
the application development of tomor- 
row. That future belongs to things, 
rather than numbers, concepts or trans- 
actions. Supporting that theory, Sun's 
SPOTs are tiny bundles of circuits and 
sensors designed to monitor real-world 
activity with Java. 

Arshan Poursohi, a developer at Sun, 
said that SPOTs are unique because they 
run Java on "the bare metal. Having a 
high-level language, as opposed to assem- 
bly or C, lets you pick up code and run 
with it. You can do in weeks what might 
have taken months before," he added. 

Currently, Sun has made the devices 
available in several countries, including 
the U.S., Japan, Australia, New Zealand 
and most of the European Union. But 
the company's "data center in a shipping 
container" hardware solution is some- 
times sold with modified Sun SPOTs — 
used to monitor temperature and mois- 
ture inside those massive black boxes. 
Now that SPOTs have been in the wild 
for more than a year, Roger Meike, 
senior director of Sun Labs, discussed 
some of the ways that Java is making 
them shine. 

SPOT'S TREAT SPOT 

Meike described numerous experiments 
that Sun SPOT users have undertaken 
since the devices were introduced. One 
fellow used the technology to control a 
treat dispenser in his home. When he 



wanted to see his dog through the Web 
camera, he would set up in that room, 
trigger the SPOT through the Web to 
open the treat door, drawing his Boston 
Terrier into the room and into the cam- 
era's view. 

Sun SPOTs can be tied together into 
loose networks, something that required a 
lot of creative development from Sun, 
said Meike. The SPOT team demonstrat- 
ed how "loose" doesn't necessarily mean 
"wobbly," by holding up two devices and 
migrating a running application — which 
simply blinked a white light on the run- 
ning device — from one SPOT to another, 
without any device restarts or lost threads. 

Poursohi later described how Sun 
SPOTs would be used to help monitor 
the restoration of wetlands in the San 
Francisco Bay area. Scientists, he said, 
currently use sensors that must be 
pulled out of the mud once a week, then 
plugged into a laptop to download data. 
Poursohi said that SPOTs would enable 
scientists to read that information wire- 
lessly and allow sensors to communicate 
with one another. 

Also attending Sun's Java Mobile and 
Embedded Developer Days were repre- 
sentatives of Motorola, Nokia and Voda- 
phone. Specifically, Vodaphone was on 
hand to launch its Betavine project, 
which seeks to create APIs and re- 
sources to help developers build mobile 
applications. Betavine is open now at 
www.vodafonebetavine.net and offers 
sample applications and code for mobile 
Java developers. I 




ALL ROADS LEAD TD WPF. 

Art. the intersection of graphics, rnuitirnedi* and Interf-Ke 
design It Moblfcnn Ai one of the earliest adopter, of 
WcrDsoft* WPf 1 Windows Presentation Found at ion J 
lOLihnoloev MotiiFcrnfi hjscneatecMntuttiw, customizable 
Visual deilfifi products afid component for the. WET 
development community. 

Fortune 5D0 companies, recognizing MobiiornVi Expertise 
Fim WPF„ have licensed our technology and utilized our 
consulting servicer 

Mobil Form is a am g!e- source sol uci en ofteflng; training, 
consul brig and &rjph.t. design services to help translate 
your VriKdni into WPF reality. 



For more ififonnatlon 
Drto download a ifiaf 



of a;jr products- please wsrt 
vuww.mribiform.com 



ifan 
[veraion 
LEe -. = \i 
n.Eum 




lli-LdhMlfljC^JELrOCKLfrlNIb-. MUM. aMJ *j-"-liL^iJ\m 



30 SPECIAL REPORT 



Software Development Times . February 15, 2008 . 



www.sdtimes.com 



SOFTWARE n\\l\C\ 



T 



BY LISA MORGAN 



Developers bid to 



Software piracy is a global problem that can't be 
eradicated, ever, according to combatants. For 
software developers, the best-case scenario is 
to make illegal copying, distribution, and 
reverse-engineering difficult enough to persuade the 
black hats to move to another target. 

While piracy rates changed little in recent years, 
losses are mounting, according to the Business Soft- 
ware Alliance (BSA) and International Data Corp. 
(IDC) 2007 Global Piracy Study. The rate from 2004 
through 2006 was 35 percent, down slightly from 36 
percent in 2003, the fourth annual study showed. But 
it also revealed that losses ballooned during that peri- 
od, from US$28.8 billion in 2003 to more than $35.7 
billion in 2006. 

Anti-piracy laws exist in a growing number of coun- 
tries; however, not all nations enforce to the same 
degree. Historically, China and Russia have been the 
biggest offenders, though software protection vendors 
say that, over the past four or five years, both countries 
have improved. They have started to shut down sites 
and dispatch police. Indeed, the percentage of pirated 
software has decreased in these countries over the 
same period, as shown in the BS A/IDC report. Never- 
theless, both still had scandalous rates of piracy in 2006 
and held the dubious distinction of leading the world in 
revenue loss. 

Nonetheless, the highest piracy rates don't 
necessarily translate into the biggest losses: 
Armenia, Azerbaijan and Moldova led the 
field in 2006: 95 percent, 94 percent and 94 
percent, respectively, and the losses in 
those countries amounted to $8 million, 
$51 million and $56 million. Compare tfjp- 




that with China, Russia, Japan and India, each of which 
had comparatively lower piracy rates of 82 percent, 82 
percent, 25 percent and 71 percent, respectively. The 
losses in those markets are sizable, totaling $5.4 billion, 
$2.1 billion, $1.7 billion and $1.2 billion. 

China, for its part, is enforcing laws with greater vig- 
or because 15,000 Chinese software vendors are con- 
cerned about the piracy of their own software, said Vic- 
tor DeMarines, vice president of products at Vi Labs. 

By comparison, Russia is ripe for software cracking 
because it has a world-class educational system but few 
legitimate jobs, he added. 

Laila Arad- Allan, director of product management 
at Aladdin Knowledge Systems, said that it's easier to 
calculate the loss of illegal copies because they can be 
counted. But it's more difficult to determine the lev- 
el, and value, of code that has been stolen. As a result, 
software developers need two types of protection: 
copy and intellectual property (IP), each requiring 
different tools. 

"Copy protection guards against the unauthorized 
use and distribution of software, while IP protection 
helps prevent copycatting," she said. "The point is to 
make it difficult for individuals and groups to reverse- 
engineer software, because otherwise they may be able 
to understand the logic, algorithms and flow — IP 
embedded in the code." 

Besides professional thieves, some individuals and 
corporations abuse legitimate licenses by copying 

software onto multiple computers or buying 10 seats 

and allowing 100 workers to use the software. 

According to Amena Ali, chief marketing officer 
at Arxan Technologies, the offenders don't 
realize that buying a software license fcj 



simply means they have a limited right to use it. 
Instead, she said, they think that because they bought 
the code, that justifies illegal overuse. 

Vadim Katcherovski, president of Logic Software, 
said that end-user piracy and overuse pose the most 
serious problem for developers, even though the rate 
of downloads from peer-to-peer networks is increasing. 

Add to that a generation joining the work force that 
has grown up with try-before-buy software, gaming 
shortcuts, and YouTube how-tos and the problem is no 
longer just technical — it's cultural. 

SOPHISTICATED THIEVES 

At one time, software piracy was defined as illegal disk 
copying and hacking, with a simple goal: achieve noto- 
riety. But, over time, techniques have evolved along 
with software development and distribution methods. 
And, in today's connected world, it's big business, as 
evidenced by the BS A/IDC report. There's a wealth of 
how-to information on the Internet, and mass distribu- 
tion is cheap and easy thanks to peer-to-peer (P2P) net- 
works, Internet relay channels (IRC) and newsgroups. 
"BSA used to say, 'Don't copy that floppy' back in 
the days when illegal copying meant handing a disk 
copy to as many people as you could physically hand it 
to," said Mark Ishikawa, CEO and co-founder of BayT- 
SP "With P2P networks and the Internet, you're shar- 
ing software with tens of thousands or millions 
of people you haven't met — it's the world 
versus just friends." 

Often, thieves use the same tools — 
compilers, debuggers and disassem- 
blers — that legitimate developers do. 
Debuggers and disassemblers 
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repel invasion fueled by clever thieves, Internet 



change a file, remove protection or change the behav- 
ior Many pirates are building their own key generators 
by reverse-engineering or replicating license keys. 

Vi Labs' DeMarines said that virtualization is also a 
problem because VMware, for one, does not provide 
an absolute trusted environment. If you can control 
VMware, you can control the memory. 

Aladdin's Arad- Allan said that it's also relatively easy 
to understand the logic of a .NET application because 
it's simple to compile. ".NET is a great platform 
because it includes many advancements, but one dis- 
advantage is that IP is exposed in the code," she said. 

Vi Labs' DeMarines agreed, noting that bypasses 
are sometimes achieved using a Windows executable 
and that, in native Windows, debuggers are employed 
to understand the registry and signatures. 

DAVID VS. GOLIATH 

There is often a great disparity of manpower between 
white and black hats. Quite often, it's legitimate soft- 
ware development teams of a finite size against armies 
of sophisticated hackers and reverse engineers, some of 
whom may be associated with organized crime. 

Soon after software is released, it's frequently 
hacked, which forces the original development team to 
respond with patches. Worst case, the software is tam- 
pered with or copycatted, and distributed free or 
sold at substantially lower prices than legitimate 
copies. 

As a result, software developers face three 
business problems. The first is financial loss. 
Second, some existing or potential cus- 
tomers may not understand the dis- 
parity between legitimate and ille- /, 



gal pricing, particularly when the distribution site 
appears legitimate. This creates false downward pric- 
ing pressure and a PR problem. Third, when con- 
sumers download pirated products, they may also be 
downloading unwanted problems, such as malware, 
spyware, software that doesn't operate properly, or a 
lack of access to technical and customer support. 
Because the brand name is being used, these problems 
may hurt the brand itself. 

"Piracy groups have become their own ISVs," said 
DeMarines. "They've got developers, testers and distri- 
bution." 

Software developers can be their own worst ene- 
mies by leaving the door open for piracy in the first 
place. Part of the problem may involve design, though 
experts agree that what can be built can be tampered 
with, or reverse-engineered. 

Some development shops are growing their own 
form of software protection, which could be a costly 
mistake. First, software protection is likely not the 
company's core competency, and there are not 
enough experts and in-house hackers to ensure that 
the software is adequately protected continually. 
Worse, some developers think they can cobble togeth- 
er their own software protection mechanisms in a few 
man-hours, which leads to low-quality protection and 
requires maintenance. 

Even if there is a commercial solution in place, 
software developers may not be using it. 
Or, if they are, they may not be applying 
it correctly. Software protection and 
digital rights management (DRM) tools 
are only as good as the people who 
use them. 





Another mistake may be relying too heavily on 
license management, forgoing other types of protec- 
tion that would add to the product cost or bust this 
year's budget. 

If cost is an issue, DeMarines suggests looking at 
ROI by quantifying various markets, and applying the 
piracy delta to calculate potential losses. Then, com- 
pare that number with the dollar cost of keeping soft- 
ware off the streets for, say, $5 a copy. 

BayTSP's Ishikawa disagrees, saying there's no way 
to derive an accurate empirical ROI because you sim- 
ply can't ascertain how many copies illegal users might 
have purchased. 

WHERE DOES IT FIT? 

Into which life cycle software protection fits is another 
issue. Protection can be viewed in terms of the soft- 
ware development life cycle, but because a developer's 
software product is a corporate asset, it needs to be 
contemplated in business terms. Meanwhile, the Sar- 
banes-Oxley Act mandates asset protection and an 
auditable trail of that protection. That's why line-of- 
business managers, chief financial officers and others 
are getting involved, or so say vendors. 

"Software development is no longer silo'd. You can't 
just build it, ask whether it meets the market require- 
ment and consider the job done," said Sebastian Hoist, 
senior VP of PreEmptive Solutions. "How you build 
software translates to security and financial risks, and 
therefore you're obligated to align software develop- 
ment practices with business stakeholders." 

Arxan's Ali says some development shops just lack 
awareness: They don't know how much intellectual 

continued on page 32 ► 
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property is being siphoned off, 
or to what extent illegal copy 
distribution is affecting the bot- 
tom line. And they don't know 
what to do about it. 

"Hackers delight in the gap 



between application develop- 
ment and security," Ali said. 
"They may not even be thinking 
of application security, and the 
whole company pays for it. It's 
not just about getting software 
out; it's about getting a sustain- 



able asset out that's protected 
via security." 

Finally John Dozier, manag- 
ing partner at Dozier Internet 
Law, says that software devel- 
opers, software protection and 
digital rights vendors located in 



the U.S. are making the mistake 
of viewing piracy in terms of 
American standards of behav- 
ior. "You can't evaluate risks [if 
the analysis is] based on what 
we in the U.S. think are human 
motivators," he said. 
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MITIGATING THE PROBLEM 

License management is one 
type of barrier, albeit not a solu- 
tion to software piracy because 
it can be circumvented, as not- 
ed above. It helps to keep hon- 
est customers honest, but it 
doesn't protect against overt 
piracy. 

Encryption is another 
method, but some assert it isn't 
a definitive solution because it 
provides only a single layer of 
defense. Multiple layers and 
types of protection are required 
to slow thieves even further, as 
long as those layers don't create 
interoperability issues. 

Yet another tactic is water- 
marking, which combines data 
hashing and digital watermark- 
ing. Data hashing assigns an 
alphanumeric string to a file; if 
the file is modified and then re- 
hashed, a different numeric 
string will result. Digital water- 
marking embeds auxiliary data 
into a file; if someone tries to 
reverse-engineer code and then 
recompile it, the watermark 
persists. 

Vendors are attacking the 
problem in different ways and 
at various points within the soft- 
ware life cycle. 

A global war rages between 
legitimate software publishers 
and those illegally copying, dis- 
tributing and reverse-engineer- 
ing their products. From a legal 
perspective, some mistakenly 
think in terms of litigation — a 
myopic view at best. 

First, software protection 
doesn't begin or end with litiga- 
tion. It must be integral to soft- 
ware design, development and 
testing processes, as well as 
everyday business operations. 
Software piracy means risk, and 
the best way to mitigate that is 
to integrate risk management 
into every phase of the business 
and software life cycles. 

Second, just because you can 
litigate doesn't mean you should. 
There are two types of cases: 
civil and criminal. The former is 
designed to stop illegal activity, 
recover damages or force valid 
licensing agreements. The point 
of criminal cases is to shut down 
illegal operations, prosecute 
and, hopefully, put away the 
offenders. A civil case is accom- 
plished through corporate 
lawyers and their law firms. 
Criminal cases necessarily 
involve the government. 

Further, what works in the 
U.S. won't work the same way 
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10 TIPS FOR MITIGATING PIRACY 



in another country, if at all. Control the development environment. Put policies in place 

Regardless, litigation is an J # and control permissions so that you create an environment 

expensive proposition, and it that encourages developers to do the right thing. 

can backfire if not executed 

with precision. In addition to •> Educate ' Build internal awareness that piracy is a material 

the hard costs of litigation, ^.threat to the bottom line of the company, and perhaps its 

which can run in the tens or i™?;.^ 

hundreds of thousands or more, fjjj Assess rjsks To protect your softwarer 

there are intangible costs, such -*J fjnd the ho | es 

as adverse public relations. 

Attorneys Dozier and Kraig a A Use the right tools. Many factors affect how software will 

Baker, a partner at Davis ™^ # be tampered with or reverse-engineered. These include the 

Wright Tremaine, say that Dig- platform or operating system on which the software was built, the 

ital Millennium Copyright Act tools used to build it, how the software is being distributed (a 

cease and desist letters can packaged product, a download or a managed service), and what 

wind up posted on the Inter- type of software it is (desktop, server or embedded). 

net, often through blogs. The •""—••— 

u . Jr . rT Use the tools properly. If you're using software protection, 

resulting caustic comments "*^ 

11 rir ™ #P # make sure you're applying the available features in the most 

can be harmful trom a rn per- ^^ w 

o.- u • j-i a. • effective way. 
spective to a business that is 

simply trying to protect its 

own assets. tect private property. pany should concern itself with 

"The answer isn't in court," Davis Wright Tremaine's piracy, Logic Software's 

said Dozier. "It's a technology Baker has a different view. The Katcherovski said. Nascent 

and business issue." best way to handle piracy, he companies ought to concen- 

What's more, don't look said, is to create products that trate resources on bringing soft- 
toward the government or are difficult to pirate, while ware to market, 
associations, even the BSA. using the government to In some cases, companies 
Dozier said companies that enforce laws and the legal sys- intentionally make their soft- 
assume the FBI or CIA will tern to enforce corporate ware easy to crack, or they 
bust offenders are "foolhardy." rights. Steer clear of self-help remove protection altogether. 
Government resources simply or vigilantism. The idea is to make the soft- 
cannot be relied upon to pro- Yet, not every software com- ware popular on pirate sites and 



[> Think globally, act locally. Adjust your software protection 
[J # strategy as needed to combat threats in different countries. 

•* Value vs. price. Software protection schemes vary by 

§ # vendor, so there is no justification for buying on price alone. 
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Buy vs. build. Don't create your own software protection 
# scheme, unless you have a dedicated in-house team of 



expert gladiators who can handle the task continually. 



» 



Think strategically. Make sure the type of software 
# protection you choose is consistent with those who are 



hacking your software and the remedies you seek. Do you want to 
shut down an operation, or be properly paid for illegal use? 

I d\ Determine your risk tolerance. Chances are your 
1\ " # software will be tampered with or reverse-engineered, 
somewhere, by someone. How much risk is your company willing 
to accept before taking swift— and expensive— action to enforce 
rights? Don't forget that the price of litigation may include the 
hidden cost of adverse PR. I —Lisa Morgan 



P2P networks, he said. After 
the software becomes popular, 
the company releases a version 
that includes strong protection. 
This notion ties back to risk 
management, which is also 
reflected in trials and free ver- 
sions: Software developers 
know that some percentage of 
trial software users will share 
or otherwise overuse the soft- 
ware. They also know that 



some users will never upgrade 
to a paid version. 

Thus, the bottom-line ques- 
tions are these: How much risk 
is acceptable? What precau- 
tions must be employed? And, 
at which points in the life cycle 
must protective measures be 
taken to ensure that the risks 
and rewards are managed in a 
way that advances the best 
interests of the company? I 
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With Doc-To-Help, you'll always remember your documentation. 



Doc-To-Help can help you and your team to automate documentation. A popular Help authoring 
tool for Microsoft Word and HTML, Doc-To-Help is the first of its kind to integrate with Microsoft 
Sandcastle for automatic .NET reference documentation. Doc-To-Help incorporates Sandcastle 
generated information into its projects so that you can insert MSDN-formatted reference 
documentation into your Help files. Use this information on its own or add it to narrative content 
for a complete user manual. 

• Author narrative in Microsoft Word or any HTML editor 

• Publish browser-based Help, Help 2.0, HTML Help and more 

• Publish printed manuals 

• Use Team Authoring Support for workgroups 

Doc-To-Help allows you to author content in Microsoft Word or any HTML editor and 
produce every popular Help output (including browser-based Help) or print-ready 
manuals. The full-featured Help authoring experience gives you all the tools you need 
to create documentation your users deserve and demand. 
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FROM THE EDITORS 

Mobile Developments 
C++ Moment 

At first glance, Nokia's purchase of Trolltech was a puzzle. Nokia is 
one of the world's largest manufacturers of mobile phones and, 
arguably, the market leader. Trolltech is a small, hippy-style company 
focused almost entirely on C++ development. 

For years, Java has dominated mobile-phone applications develop- 
ment, along with Qualcomm's BREW. C++ has barely even registered, at 
least not among mainstream mobile programmers. Yet, despite the 
"write once, run anywhere" benefits that Java — particularly Java ME — 
offers, wireless development remains a nightmare. There are thousands 
of handset types, with hundreds of firmware systems and APIs behind 
them. Each phone model is an island unto itself, so much so that the Java 
Community Process last year had an entire JSR dedicated to selecting 
several Java specifications to be bundled as "standard capabilities." 

That brings us to Qt, Trolltech's C++-based GUI toolkit. Trolltech has 
long been famous for Qt. But under the radar for most folks is the com- 
pany's heavy investment in Australia. On that great continent down 
under, Trolltech has employed about 100 developers to work on a single 
project: Qtopia. The plan, it would seem, is to build an environment for 
phones that can do much of the same cross-platform work that Qt is 
gearing up to handle. Qtopia required a heavy investment from Troll- 
tech, but it was supposed to deliver big returns when the mobile mar- 
ketplace was ready for it. 

The marketplace is ready, as Nokia amply demonstrated. 

Developers are sick of writing and compiling dozens of versions of 
each mobile application, so much so that many with whom we have spo- 
ken still prefer assembly language to both C++ and Java for mobile 
devices. With Qtopia tucked firmly under its wing, Nokia has a brood of 
hatchlings that could mature into a blockbuster development experience. 

If every Nokia phone produced from this point used the same Qtopia 
APIs, I/O interfaces and Qtopia libraries, life would be a lot easier for 
developers tasked with building applications for Nokia platforms. Per- 
haps they'd even beat a path to the Norwegian company's door. And with 
one of the great brains behind Web Kit on board at Nokia, thanks to the 
Trolltech acquisition, the potential exists for a healthy new mobile Web 
browser to take shape. 

All around, Nokia's Trolltech deal should translate into less work for 
developers and better applications for users. It also means tough times 
ahead for Motorola, Samsung and other mobile phone makers. 

Happy Birthday, IBM's System i 

IBM's System i is a platform that one can't help but love, so we're 
thrilled that the company continues to maintain and expand the 
midrange platform, in the face of increasingly powerful commodity hard- 
ware. 

It's hard to believe that System i is 20 years old, if one goes back to the 
launch of the AS/400. It's even harder to believe that 29 years have 
passed since IBM Rochester (Minn.) shipped the first System/38s. All of 
a sudden, we feel really old. 

It's so easy, when surfing the Web or even reading SD Times, to think 
that server platforms are bookended by Linux and Windows. But, 
remember, long before either of those platforms was viable, the oft- 
renamed System/38-AS/400-iSeries-System i midrange servers were 
helping small and medium-size businesses stay competitive. Larger ones, 
too: Well into the 1990s, these were reputed to be among the most reli- 
able systems that Microsoft had in its own data centers. 

So here's to you, IBM Midrange System, whatever you're branded as 
this year. You may not be the sexiest platform in today's fast-moving 
world, but sometimes sex doesn't sell — reliability does. I 



Don't Ignore Static Analysis 



Complexity has become the most 
significant challenge to meeting 
time-to-market and reliability demands 
for software. Automated tools, such as 
static source-code analyzers, are need- 
ed to cope with this complexity. A stat- 
ic analyzer determines execution paths 
through code and how the values of 
program objects flow through these 
paths, potentially resulting in 
bad pointer references, mem- 
ory leaks, buffer overflows, 
and many other nasty prob- 
lems that are reported to the 
programmer. Yet most devel- 
opers do not regularly use 
static analyzers. Let's discuss 
why and what can be done 
about it. 

At a recent computer con- 
ference, a survey of engineers 
found that only 5 percent of developers 
regularly employ static analysis. I have 
asked a wide variety of professional soft- 
ware developers about their use of these 
tools. A common set of barriers emerges 
in addition to the obvious one: cost. 

Occasionally, the pain of tracking 
down and averting false positives is cit- 
ed. This complaint, however, has gone 
the way of the dodo, as commercial stat- 
ic analyzers have become very accurate. 
Some developers base their experience 
on the old — and free — Unix lint analyz- 
er, which is notoriously verbose and 
inaccurate. You get what you pay for. 

The more common complaints cen- 
ter on how static analyzers (don't) fit 
into the software developer's workflow. 
Developers are accustomed to the edit- 
build-debug cycle, and adding another 
"analyze" phase is uncomfortable. Stat- 
ic analyzers are usually stand-alone 
tools that must be invoked and man- 
aged separately from the developer's 
IDE. Developers also lament the exe- 
cution time of static analyzers, often 
orders of magnitude longer than a reg- 
ular compile. These inefficiencies deter 
usage and rob developers of an incred- 
ibly valuable tool and the resulting 
meaningful improvements in fielded 
product reliability. 

INTEGRATION TO THE RESCUE 

What can be done about it? The answer 
is quite simple. Static analyzers need to 
become integrated static analyzers 
(ISAs). An ISA introduces a new 
approach in which static analysis is per- 
formed within the same compiler and 
IDE used to build software. An ISA can 
generate its warnings or errors inter- 
leaved with the other standard diagnos- 
tics output by the compiler. Further- 
more, common integrations between the 
project builder and the editor augment 
the usability of the static analysis tool: 
When a defect is reported during the 
build process, the user can hyperlink 
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from the builder's output window back 
to the source code quickly, rectify the 
error, and then return to rebuilding the 
program. 

The execution time barrier can also 
be squashed. The ISA analysis engine 
takes advantage of efficient dataflow 
analysis, constant propagation, and path- 
pruning algorithms developed over 
many years to perform com- 
plex compiler optimizations. 
In addition, the total time to 
build and analyze software is 
reduced because the compil- 
er uses a single parsing pass 
of the code to perform both 
compilation and analysis. 
Finally, the integration with 
the IDE enables the analyz- 
er to take advantage of the 
existing distributed build 
mechanism. The parsing pass for the 
project's source code is distributed 
across available workstation assets on 
the user's network, dramatically reduc- 
ing the total analysis time. 

Consider that a traditional analyzer 
takes about 10 minutes (one vendor's 
published results) to analyze the 
Apache Web server code base; the ISA 
requires only 30 seconds on the same 
PC hardware. 

Finally we come to cost. Although 
business models vary, a common one 
involves charging a fee proportional to 
the size of the codebase put through 
analysis. Cost-per-line-of-code lends 
itself nicely to a return on investment 
analysis. High-quality commercial ana- 
lyzers cost approximately 5 cents per 
line of code. Let's see if we can quantify 
the benefit. 

ISAs reduce development time by 
enabling engineers to detect and 
resolve problems more efficiently and 
earlier in the development cycle. By 
reducing development time, products 
reach the market faster and stay in the 
market longer, translating into higher 
sales and profits. By increasing product 
quality, analyzers reduce post-sales 
cost associated with product failures, 
recalls and in-field maintenance. Fur- 
thermore, increased quality improves 
market positioning and reputation, 
enabling organizations to command 
higher prices, which filter directly to 
the bottom line. 

Unfortunately, while clearly substan- 
tial, many of these benefits are difficult 
to quantify. So let's look at the direct 
cost of production software develop- 
ment, something that has been thor- 
oughly researched over the years. 

It is estimated that it cost US$1,000 
to develop each line of code on the 
space shuttle. Developing software to 
the stringent DO-178B Level A stan- 
dard (for critical aircraft systems) has 
been estimated at hundreds of dollars 
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per line. On the lower end, Red Hat 
Linux has been estimated to cost $33 
per line of code. Other estimates gener- 
ally place the cost of high-quality com- 
mercial software in the range of $30 to 
$40 per line of code. 

Yet other studies have estimated 
how this development time is spent. 
Most concur that more than half of 
software development time is spent 
debugging: identifying and correcting 
software defects. If we use a conserva- 
tive estimate of $30 per line of code in 
total cost, this means that organizations 
conservatively spend $15 to debug each 
line of code. 

THE EARLIER, THE BETTER 

Another well understood truth is that 
the cost of identifying and correcting 
defects grows dramatically as the 
development cycle progresses. Some 
studies have shown that the time to fix 
a bug grows from an average of two to 
three hours during the coding phase to 
between 16 and 18 hours when a 
defect must be tracked down during 
post-integration quality assurance test- 
ing. Author Steve McConnell is often 
quoted for his estimates that defects 
cost 10 to 100 times more to fix when 
they escape detection during the cod- 
ing phase. 

Now let's consider the decrease in 
defect resolution time enabled by stat- 
ic analyzers. Some studies have shown 
that static analysis can reduce the num- 
ber of defects found relative to manual 
reviews by more than 40 percent. In 
addition to new code, analyzers have 
been run on mature production code, 
including the Linux kernel, OpenSSL, 
and many others, uncovering numer- 
ous defects, including security vulnera- 
bilities. When a defect is identified 
using static analysis, the most expen- 
sive part of defect resolution — tracking 
down the bug — is reduced to a negligi- 
ble amount; the tool automatically 
locates defects and elucidates the 
offending code sequence leading to the 
failure. Using a conservative estimate 
of 10 percent for the decrease in bug 
fixing time enabled by an ISA, the $15 
cost to debug a line of code is reduced 
by $1.50. 

A savings of $1.50 per line of code 
represents a return of approximately 30 
to 1 on our 5-cent investment. And 
we're not counting the other down- 
stream benefits resulting from improved 
quality and time -to- market. 

Developers worried about the cost of 
analyzers should instead be concerned 
about the cost of not using them. Static 
analyzers are found far too infrequently 
in the software developer's toolbox. A 
new breed of integrated analyzers is 
breaking down barriers. I 

David KLeidermacher is CTO of Green 
Hills Software, which sells embedded 
development tools with an integrated 
static analyzer 



LETTERS TO THE EDITOR 

Google Supplants Microsoft? 



It can be expected that as Bill Gates 
moves out of the front office, many of 
his cohorts will also want to move on 
("Changing of the Guard in Redmond," 
Feb. 1, page 1). Steve Ballmer cannot 
hold court in the same fashion as Bill 
did, and the spoils of unfair trade and IP 
theft that were practiced prior to gov- 
ernment oversight will not be as great as 
they were when Microsoft manhandled 
the United States court system and the 
entire tech industry. 

The writing is on the wall at Red- 
mond: Google is the new champ of tech- 
nology, brain trust, employee benefits 
and bragging rights. Microsoft, while not 
down and out, is on the ropes, and few 
of the old guard want to be associated 
with it as it blends into the landscape 
rather than remaining a stalwart. 

The higher they climb, the harder 
they fall. This syndrome doesn't escape 
any great group, whether Alexander the 
Great or Enron; Microsoft too will fall, 
the public and the pundits are onto 
them, and nowadays we expect much 
more of our systems than empty 
promises, fluff, and marketing without 
substance. 

Apple, Google and Adobe will be the 
major tech providers to follow, and the 
ones that will grab the headlines with 
real innovation, rather than trying to 
find growth in new markets the way 
Microsoft enters any new sector — grab- 
bing any company with a good idea just 
to make news while acting like they have 
money to burn. 

You and I were present to witness 
two of the best rise-and-fall perfor- 
mances of the technology sector — IBM 
and Microsoft. They will not disappear, 



but they both will be seen as Once 
Titans that ruled with iron fists, and 
closed minds, only to be blindsided by 
young creative types who found the 
weak underbelly, using new ideas, 
upturning staid practices, and teaching 
us how to learn all over again. 

Here's to the end of the rule by Bill 
and his team of technology-constricting 
thieves at the gates (pun intended): 
Allchin, Raikes, Neukom, Gates, 
Myhrvold, Allen and company. They will 
be missed, but their misdeeds will not 
be forgotten. 

Jonathan Olas 

.NET WINS ANYWAY 

I think the question posed on page 1 of 
your Feb. 1 issue is ridiculous ("Does 
.NET With LINQ Beat Java?"). It 
implies that .NET without LINQ does 
not somehow already beat Java. .NET is 
already by far a more productive envi- 
ronment than Java. Web development in 
.NET might be considered similar, but 
productivity in .NET exceeds that 
offered by competing Java technologies. 
In the thick-client department, there is 
absolutely no comparison, as Swing has 
never been successful and is, from a pro- 
ductivity point of view, miles behind. 
Trevor de Koekkoek 

WHAT DO YOU THINK? 

SD Times welcomes feedback. Letters 
should include the writer's name, com- 
pany affiliation and contact informa- 
tion. Letters become the property of 
BZ Media and may be edited for space 
and style. Send your thoughts to 
feedback@bzmedia.com. 
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In 2008, 2.3 trillion mobile messages will be sent, up from 2007's count of 1.9 trillion, 
according to figures recently released by research firm Gartner. 

The lion's share of the business is in the Asia and Pacific region. 

Gartner research director Nick Ingelbrecht noted in a prepared statement, "Carriers 
should plan for a future of much reduced margins on messaging services," adding that JJ to 
sustain growth over the next few years, carriers should look ahead to social networking 
applications to drive traffic." fjuwAvmu 
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Open Space-A New Format for Tech Conferences 



A nascent trend in small tech confer- 
ences might well redefine the 
whole show experience. It's called open 
space, and it takes a radically democra- 
tic approach to conference design. 
Having recently attended an open- 
space conference, I can speak to the 
change in perception it requires and 
the unique benefits it delivers. 

The tenet of open space is that the 
attendees determine the agenda. Typi- 
cally, they get together at the outset to 
decide what the major themes and ses- 
sion topics should be. 

At a conference I recently attended, 
we gathered the first night and listed 
topics of interest on index cards. Then 
the cards were collected and read 
aloud. Topics were consolidated and 
written onto large Post-it notes. 

Next, the notes were placed on a 
large board, and attendees made a tick 
mark next to the topics that interested 
them most. The sessions generating 
the most ticks were then selected and 
presented until all the time slots had 
been filled. 

Often, similarly themed sessions 
were combined — a process that proved 
instructive. Immediately, I was hum- 
bled by the discovery that many sessions 



were far more interesting than the ones 
I had dreamed up. I also got a clear view 
of what problems my colleagues were 
facing and what solutions most interest- 
ed them. When was the last time you 
learned that during a conference? 

The next step was to find session 
leaders. But where do you get an 
expert to speak on XYZ on short 
notice? 

You don't. People who are 
interested in a topic go to the 
room at the indicated hour 
to begin a dialogue. 

Invariably, one or two 
people emerge to share their 
expertise. Anyone can join 
in — or just sit there quietly. 
Sometimes, you hear what 
hasn't worked for some folks; 
other times, you hear what 
has worked. 

If the conversation doesn't interest 
you, you're free to leave and go to 
another session. The fundamental rule 
is that "wherever you happen to be, 
that's where you should be." 

It's up to you to find the sessions 
that best suit your needs and to leave 
the ones that don't. There is no dis- 
courtesy in walking out during a dis- 
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cussion. In fact, it's rather expected. 

Sometimes the sessions are not long 
enough to cover topics entirely, so the 
participants spontaneously decide to 
hold a "birds of a feather" session at 
day's end, extending the conversation. 

The upshot is that you forge much 
richer connections, especially with 
people who took part in multiple ses- 
sions with you. Generally, 
you get to explore your spe- 
cific concerns if they are 
shared by others, and you 
don't have to sit and listen to 
talking heads. Indeed, 
everything is real. 

For open space to work 
well, however, several key 
elements must be in place: 
the conference must be 
small; the attendees must be 
passionate about the topic and, ideally, 
knowledgeable; and everyone must be 
prepared to contribute. This is not a 
conference for junket seekers or for 
those who simply want to sit back and 
listen. 

Of course, you may go and say noth- 
ing, but that is not encouraged. If only 
a fraction of attendees acted that way, 
the whole mechanism would fall apart. 



The participation requirement is made 
easier by the shortness of the confer- 
ence. Unlike trade shows, which seem 
endless when you're there, open-space 
conferences occupy more than two 
days. As a result, it's easy to remain 
motivated. 

The conference I attended was 
CITcon, which was excellent for practi- 
tioners of continuous integration. The 
first night was dedicated to creating 
the schedule, followed by a social hour. 
The next day was all classes. Before 
closing, all attendees met one last time 
to make suggestions and comments. By 
6 pm, the entire event was done. 

This brevity enabled you to main- 
tain your concentration as well as 
heightened your desire to attend as 
many sessions as possible. I had not 
experienced those feelings at a confer- 
ence for a long time. 

So, if you're passionate about a top- 
ic, interested in peers who share that 
passion, and you're willing to con- 
tribute your knowledge — the open- 
space approach is for you. I 

Andrew Binstock is the principal analyst 
at Pacific Data Works. Read his blog at 
binstock.blogspot. com. 
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Making a Case for SOA in an Economic Downturn 



Let's face facts: Times are tight, and 
when times are tight, capital bud- 
gets shrink. Thus, many IT leaders are 
asked to make tough decisions around 
existing projects, with SOA typically 
being one of those projects on the 
chopping block. So, how do you defend 
SOA? 

To begin with, a lot of the money that 
leaks out of an enterprise is not in the 
form of "special projects," but in the 
cost of leveraging a less-than-optimal 
architecture and technology. The met- 
rics are clear: Bad architectures cost 
millions a year in lost time and produc- 
tivity, not allowing the enterprise to be 
as agile as it needs to be. However, man- 
agement typically fails to understand 
that until it becomes a critical issue that 
could bring down the company. 

SOA is one of those concepts that is 
hard to explain to management. SOA is 
architecture rather than technology, 
and thus many find it stale and unin- 
teresting. Moreover, it's something that 
takes years, not months. Thus, many 
executives who think short term, and 
are compensated that way, don't like 
long-term capital-intensive invest- 
ments, even if they do return a great 
deal to the company in the end. 

Truth be told, enterprise architec- 
tures have turned bad in many enterpris- 
es because of this kind of shortsighted 
thinking. As IT matured over the years, 



we found that "management by maga- 
zine," or moving after the "cool technol- 
ogy" vs. the right architecture, was the 
rule of the day. Short-term tactical deci- 
sions made without considering the 
longer-term consequences replaced 
longer-term investments in efficiencies 
and effectiveness. 

Thus, layers upon layers of 
technology have become the 
de facto enterprise architec- 
ture. Lacking common vision 
and planning, it is largely dys- 
functional, inefficient, and 
eats millions of dollars every 
year in both lost revenue and 
lost opportunities. 

SOA is one approach to 
solving this problem. How- 
ever, to the point I made 
above, it needs a longer-term strategic 
investment. It's something you do, not 
something you bolt on. While easy to 
justify when times are good, many of 
those who work on SOA in their own 
companies are finding themselves in 
budget-cutting meetings — in essence, 
defending their project, and thus 
defending SOA. Perhaps this is you? 

Here are some issues you need to 
raise before a single dollar is removed 
from your project. 

First, and the most critical, make 
sure everyone understands the lost 
ROI and impact on the enterprise, and 




do this in dollar figures. You'll be sur- 
prise how much money is being saved, 
and made, well in line with the invest- 
ment. You need to make sure you do 
the analysis. If you can't defend it, then 
perhaps the project should be can- 
celed. Keep that in mind. 

Technologists have a tendency to 
sell the technology, not the 
benefit. So, keep in mind 
that you're "eliminating 
inefficiencies," not just do- 
ing SOA. Those inefficien- 
cies have a cost — make sure 
you list those costs and the 
benefits if the existing enter- 
prise architecture is made 
more agile, more efficient 
and more effective. 

Second, attempt to shift 
resources from existing projects to the 
SOA project. Chances are you have a 
few of those around. While it's a huge 
political football, once you do the 
analysis, you could find that SOA is a 
much better use of the money. 

This means the data warehousing 
project just down the hall, or the ERP 
implementation (they are always over 
budget), needs to take a back seat to 
SOA. Indeed, it's perhaps a good deci- 
sion to put a lot of tactical one-off proj- 
ects on hold while you figure the archi- 
tecture out . . . call me crazy. 

Finally, if the cuts can't be stopped, 



plan for the downtime. Make sure the 
resources are maintained until you 
need them again; the restart may cost 
much more than it should. If you lose 
the argument and SOA is "put on 
hold," then attempt some damage con- 
trol as best you can. However, I would 
say that it's going to be very difficult to 
resurrect the project without a lot of 
additional costs. Indeed, the organiza- 
tion is perhaps not ready for SOA if 
they kill it, and expect to turn it back 
on like a light switch. 

Budget cuts are just part of busi- 
ness. In my tenure as a CEO, making 
cuts was one of the toughest things I 
had to do. However, I always weighed 
longer-term benefits against short- 
term gains. 

I'm not sure the executives today 
are thinking longer term, and this type 
of thinking is beginning to harm many 
enterprises. Eventually the layers upon 
layers of tactical thinking are going to 
take their toll on the effectiveness of 
IT, and there will be a tipping point 
where management panics and quickly 
attempts to fix an ineffective architec- 
ture. By that time, it's too late; no quick 
fixes here. Remember that as you con- 
sider cuts in IT, specifically SOA. I 

David S. Linthicum is a managing part- 
ner at ZapThink. Reach him at 
david@zapthink. com. 



Differences in Programmer Productivity 



Programming talent is not normal. 
There are some professional devel- 
opers who are very much better than 
average and some who are very much 
worse, but it doesn't seem that these tal- 
ents fall along the neat bell curve creat- 
ed by the normal, or Gaussian, distribu- 
tion. I say "seem" because, as boring as 
it is to say "the data are lacking," there is 
astonishingly little real, peer-reviewed 
studies of individual programmer pro- 
ductivity. This is especially true of stud- 
ies of professionals; it's dubious to 
extrapolate the real-world distribution of 
talent from studies of computer science 
students, if for no other reason than the 
very large number of self-educated 
developers in the workforce. 

Studying programmer productivity is 
made harder by the non-linear difficulty 
of software. A 500-line utility is not likely 
to be just 10 times less complex than a 
5,000-line program, and a 50,000-line 
application is certainly more than an 
order of magnitude harder still. Studies 
of programming contests and homework 
challenges largely miss the dynamics that 
kick in when a system involves many 
moving parts and can only be immediate- 
ly grasped as a collection of abstractions. 



Perhaps most important, profession- 
al software development is a team 
sport, and there's no simple way to 
measure an individual's overall contri- 
bution to success. Nonetheless, the 
studies that do exist reinforce the intu- 
ition that there is great variance in both 
individuals and teams. 

The question of talent dis- 
tribution is important because 
it implies certain team struc- 
tures. If, as some would have 
it, the striking thing about the 
distribution is that some 
developers are extraordinarily 
more productive (the "super- 
star" hypothesis), then it 
might make sense to structure 
software development along 
the lines of surgical teams, 
where the majority of the team is work- 
ing to support the productivity of the 
single leader. In the early 1970s, IBM's 
Harlan Mills advocated just this 
approach, contrasting this team struc- 
ture with "a hog-butchering team," in 
which everyone has the same job 
description. (Not that the choice be- 
tween being a surgeon or a hog butcher 
has any emotional leverage!) 




\ 



In a world where, say, 5 percent of 
programmers are 10 times (or even 20 
times, as has been recently batted about 
the blogosphere) more productive than 
the median, the best should enjoy not 
just job security, but also soaring salaries, 
increased deference and general 
acclaim. It's an appealing vision, especial- 
ly to those who think, "There's 
no one so much better than 
me that they can do in a day 
what I can do in a month of 
heads-down, phones-off de- 
velopment. Therefore, I must 
be among the elite." 

If, on the other hand, the 
| distribution of programming 
talent is characterized by a 
long tail of incompetence, it 
implies other strategies for 
improving overall team talent. It implies 
that chopping off the tail of incompe- 
tence is the fastest way to increase aver- 
age productivity and that, in hiring, we 
ought to concentrate not so much on 
finding elites but on avoiding the worst 
(no matter how cheap, no matter the 
vow to keep them on easy chores until 
they learn more). It also sadly means 
that knowing that there's a guy five times 
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worse than you doesn't mean that you're 
a superstar. 

That incompetents manage to stay in 
the profession is a lot less fun than a 
secret society of magical programmers, 
but the (sparse) data seem consistent in 
saying that while individuals vary signifi- 
cantly, the "average above-average" pro- 
grammer will be only a small multiple 
(perhaps around three times) faster than 
the "average below-average" developer 
(see, for instance, Lutz Prechelt's work 
at citeseer.ist.psu.edu/265148.html). 

Some will quickly point out that pro- 
gramming quality, like interest payments, 
compounds over time, and small differ- 
ences in day-to-day productivity may turn 
into order-of-magnitude differences in 
delivery time. This may be true (I believe 
it, although I know of no studies), but 
even if it were so, it would only be true in 
the context of a team that managed its 
members nimbly, avoiding colossal mis- 
takes and time-sapping distractions. That, 
rather than searching for a hero, is the 
unglamorous route to success. I 

Larry O'Brien is a technology consul- 
tant, analyst and writer Read his hlog at 
www. knowing, net. 



38 



INDUSTRY 



. Software Development Times . February 15, 2008 . 



www.sdtimes.com 



High-stakes Gaming's No Game 



Industry Watch 






Michael Milken. Nick Leeson. 
Charles Keating. To this rank list of 
ig-nobility we can add one Jerome 
Kerviel, who hit a new high by "gaming 
the system" at France's second-largest 
bank last month to the tune of 
about US$7.2 billion. 

And every software archi- 
tect, developer and security 
officer — not to mention HR 
manager — should shudder at 
the thought that a man widely 
considered of ordinary intelli- 
gence and skill could use the 
bank's rules, policies and pro- 
cedures against it to make 
trades that went bad and now 
threaten the institution's future. 

Heads have rolled, and more will 
follow. Surely, Kerviel is to blame. 
Reports said he admitted to concealing 
these larger-than-allowed, high-risk 
trades in the hopes of scoring big and 
impressing his bosses and others in the 
financial community. 

Kerviel began with the Societe Gen- 
erale bank in the back office, keeping an 
eye on traders, ironically enough. This 




taught him about the bank's controls, and 
how he might subvert them. When he 
was promoted to trader, he used that 
knowledge — and the help of co-workers 
who supplied passwords and log-ins — to 
conceal his positions in vari- 
ous futures. It became a shell 
game, with information being 
hidden during routine sys- 
tems checks by risk managers, 
and pulled out again later 
after the checks were done. It 
is said that he traded billions 
of euros in this manner. 

But the bank shouldn't 
hang this all on Kerviel. He 
was able to execute this sub- 
terfuge because security officers became 
complacent, not expecting an intrusion to 
their system from the inside, and because 
software architects and programmers did 
not create enough layers of security or 
check for these kinds of vulnerabilities 
while the systems were being built. 

That's the scary part of this story. Busi- 
nesses always seem to expect attacks on 
their system to originate from the out- 
side, and use firewalls, authentication and 
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good coding practices to prevent entry via 
SQL injections or buffer overflows. But 
how do you stop an employee, or a group 
of them, from sharing their passwords 
and identities to gain access to parts of 
the system they should be blocked from? 

One important step is awareness. 
Companies usually do some sort of 
screening of potential employees before 
they are hired, but don't normally follow 
up. In the case of Societe Generale, it 
seems that Kerviel had lost a parent, got- 
ten divorced and broken up with his girl- 
friend in the time preceding his scheme. 
While it's not the job of the software man- 
ager to perform psychological profiling, 
he certainly should be aware of big 
changes in a developer's mood or work 
habits or other behavior that could signal 
a deeper emotional problem. Then, the 
manager should bring in Human 
Resources to assess the situation. 

This boils down to a cultural problem. 
If upper management doesn't make clear 
what its policies are in regard to security, 
unauthorized access and breach of trust, 
and ensure that its workers abide, the 
company is creating an environment in 
which malevolent behavior can breed. I 

David Rubinstein is editor-in-chief of 
SD Times. 



Reader Nominations Open for SD Times 100 



Reader nominations have opened 
for the sixth annual SD Times 100 
industry awards, but don't daw- 
dle—the deadline for submissions 
is March 1. 

The SD Times 100 recognizes the 
leaders and innovators who are pushing 
the boundaries of software development 
and, in so doing, are setting the agenda 
for software development managers and 
the industry. 

The awards will be published in the 
June 1 issue of SD Times and will be 




posted on SDTimes.com. 

Any SD Times reader may nom- 
inate a company, organization or 
individual. The nomination form is 
at www.bzmedia.com/sdtimes100 
/nominations.htm. There is no fee to sub- 
mit a nomination; readers are reguested 
to identify themselves (in case we have 
guestions about your nominations), but 
anonymous nominations are permitted. 

The judges of the SD Times 100 are 
the editors, columnists and regular con- 
tributors of SD Times. 



For the first time, the editors are call- 
ing for reader anti-nominations for the SD 
Times WORST OF 2007 awards— compa- 
nies and organizations that made a pro- 
found impact on the art of software devel- 
opment. But, sadly, that impact took the 
industry in the wrong direction. Nomina- 
tions for the WORST OF 2007 can be 
made at www.bzmedia.com/sdtimes100 
/worst.htm. 

More information about the SD Times 
100 can be found at www.bzmedia.com 
/sdtimeslOO. I —Alan Zeichick 



BUSINESS BRIEFS 



Legacy modernization solution provider BluePhoenix is selling its 58 
percent stake in its subsidiary Mainsoft Corp. for US$7 million, saying 
that company's focus has shifted away from BluePhoenix's core busi- 
ness. BluePhoenix offers tools and services for automated database and 
application migration and renewal, while Mainsoft remains focused on 
bridging the Java and .NET worlds. 

EARNINGS: Microsoft reported records for revenue, operating income 
and earnings at the end of its second fiscal quarter. Revenue was 
US$16.37 billion for the quarter, while operating income was $6.48 bil- 
lion and earnings were 50 cents per share. Helping to drive the numbers 
was Windows Vista, which helped increase Microsoft's Client business by 
more than 20 percent. The company says more than 100 million licens- 
es have been issued for the operating system . . . Compuware reported 
revenue of US$309.3 million for its third fiscal quarter ended Dec. 31, 
down slightly from $315.1 million in the same period a year ago. Earnings, 
though, rose 18 percent, to 13 cents per share from 11 cents in the prior 
year's period . . . VMware posted revenue of US$412 million for its fis- 
cal fourth quarter, up 80 percent from the year-ago quarter, the compa- 
ny reported. Revenue for the year reached $1.33 billion. I 



BZ MEDIA EXTENDS CUSTOMER SERVICE OPTIONS 

BZ Media, publisher of News on Thursday, has moved 
to a new mail-distribution platform to allow us to do a 
better job of automatically handling your customer 
requests, including e-mail address changes and sub- 
scription preferences. 

Previously, all e-mail from BZ Media came from our 
BZMedia.com domain. Now, we've split our messages 
into four separate domains. If you maintain an e-mail 
white list, here are the four domains that you should 
add to the white list: 

• BZMedia.com - personal correspondence from 
our staff 

• BZ-News.com - delivering our newsletters and 
publications 

• BZ-Direct.com - reminders about BZ Media's 
subscriptions and events 

• BZ-Partners.com - information about leading 
products and services 

You can also always reach our customer service 
team at service@bzmedia.com or +1 (847) 763-9692. 1 



EVENTS CALENDAR 



Game Developers 
Conference 

San Francisco 
CMP MEDIA 

www.gdconf.com 



Feb. 18-22 



FutureTest 2008 

New York 
BZ MEDIA 

www.futuretest.net 



Feb. 26-27 



Emerging Technology 
Conference 

San Diego 
O'REILLY MEDIA 

conferences.oreillynet.com/etech 



March 3-6 



MIX 2008 

Las Vegas 
MICROSOFT 

www.visitmix.com/2008 



March 5-7 



BrainShare 

Salt Lake City 
NOVELL 

www.novell.com/brainshare 



March 16-21 



EclipseCon 2008 

Santa Clara 
ECLIPSE FOUNDATION 

www.eclipsecon.org/2008 



March 17-20 



Secure Development 
World 

Alexandria, Va. 
SDW 

www.securedevelopmentworld.com 



March 25-26 



SLAM (Sales, Licensing, 
Alliances & Marketing) 

Burlingame, Calif. 
SOFTWARE BUSINESS 

www.slamconference.com 



April 3-4 



Developer Relations 
Conference 

Redwood City, Calif. 
EVANS DATA 

www.evansdata.com/drc 



April 3-4 



RSA Conference 

San Francisco 
RSA 

www.rsaconference.com/2008/US 



April 7-11 



MySQL Conference & Expo April 14-17 

Santa Clara 
MYSQL 

en.oreilly.com/mysql2008 



Embedded Systems 
Conference 

San Jose 
CMP MEDIA 

www.embedded.com/esc/sv 



April 14-18 



Software Test & 
Performance Conference 

San Mateo, Calif. 
BZ MEDIA 

www.stpcon.com 



April 15-17 



Software 2008 

Las Vegas 
CMP MEDIA 

www.software2008.com 



April 29-30 



JavaOne 

San Francisco 

SUN MICROSYSTEMS 

java.sun.com/javaone/sf/index.jsp 



May 6-9 



For a more complete calendar of U.S. software 
development events, see www.bzmedia.com/calendar. 
Information is subject to change. Send news about 
upcoming events to events@bzmedia.com. 
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All rights reserved. The price of a one-year subscription is US$179 for subscribers in the U.S., $189 in Canada, $229 elsewhere. POSTMASTER: Send address changes to SD Times, PO Box 2169, Skokie, IL 60076. SD Times subscriber services may be reached at sdtimes@halldata.com or by calling +1-847-763-9692. 



Business Objects 



YOU'VE NEVER SEEN A REPORT DO THIS BEFORE. 



CRYSTAL REPORTS' 2008 



DEFY THE LAWS OF REPORTING. 



Add new levds of decision support, stunning visualization 
and rich interactivity to your applications. Discover the 
latest designer productivity features, an improved report 
viewing expensive- and a free runtime lor unlimited 
internal report engine deployment. 

Add Crystal Reports to your development too! kit and... 

- Enable What- If analyst with Xcelsius components, 

right on your reports (as shown). 
■ Guide report exploration with on-report sorting, 

-filtering and reformatting without re -hitting yout 

database, 
* Embed Ffash files for stunning visualizations and 

powerful decision support. 




Explore the new laws of reporting from Crystal Reports. 

Visit businessobjecis.com/CR2008/dev or contact us at 1 -888-333-6007. 
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SICK AND TIRED 



OF MANUAL TESTING? 




TestComplete 

X automate v( 



your tests 



Test .NET Delphi Java 
Web Automated Windows Test Desktop 

Load Easy Vista Test Synchronized 

Fast Distributed Powerful Client/Server 

Time -to -Market lest Black Box Automate 



• NEW! 



• NEW! 



• NEW! 



Reco r d Te 5t C h eckp oi n ts 



Easy Grid Tests 



Better & Faster Web Tests 



Test Your 64-bit Apps 



! Test Your Web Services 




FREE TRIAL -DOWNLOAD NOW 
w w w.t est co m p I et e . co m 



Auto mat edQA 

rest, debugs dtlivcT:^ 

702-891-9424 



